WebApp Sec mailing list archives
Re: Encrypted URL
From: Kenneth Peiruza <kenneth () security gft com>
Date: Mon, 02 Feb 2004 09:40:37 +0000
MD5 is a Hash-Resume algorithm, not a Cipher, so you can compare two codings IOT see if the result is the same, but there's no way to reverse it. So this shouldn't be usable unless you store a relation table between "$value" and its MD5 hash on the server. Regards On Fri, 2004-01-30 at 14:09, B. Johannessen wrote:
lupin wrote:I've seen a couple highly secure Web Application that use encrypted url. Actually they encrypt the parameter query string. Example URL: http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c6.... I think this is a great way to protect against parameter tampering attacks. Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot?If all you're looking for is protection against query string/ post data "tampering" just signing it should be enough. A really simple example in PHP (untested): ------------------------------------------------------------ <?php $secret = 'known-only-to-your-server'; $value = 'tamper-proof-value'; $sign = md5($secret . $value . $secret); ?> <input type="hidden" name="value" value="<?=$value?>"> <input type="hidden" name="sign" value="<?=$sign?>"> ------------------------------------------------------------ Then when you receive the data, just reverse the procedure: ------------------------------------------------------------ <?php $secret = 'known-only-to-your-server'; $value = $_REQUEST['value']; $sign = $_REQUEST['sign']; if($sign != md5($secret . $value . $secret)) { echo 'forget it!'; exit; } ?> ------------------------------------------------------------ If I remember correctly, Sverre H. Huseby talks about techniques like these in "Innocent Code" (ISBN: 0470857447). I would highly recommended that book to anyone interested in webapp security. Bob
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Thomas Chiverton (Jan 30)
- Re: Encrypted URL Adam Tuliper (Jan 30)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
(Thread continues...)