WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Protecting posted variables

From: "Damhuis Anton" <DamhuisA () aforbes co za>
Date: Fri, 21 Jul 2006 08:04:45 +0200

Hi Billy

On web sites where I have worked on before I encrypt the variables sent
to the browser on the Server. The variables can be salted with the
Session or User ID. This would mean, that the values can not be used
between sessions and other users.

What I did was used RC4 Like encryption (with a checksum). The checksum
was important to verify that the unencrypted value is correct. This is
necessary for sequential numbers (when using Primary Keys in most DB's).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example:
   Value        Encrypted Value (No checksum)
    100      AA
    300      A6
    400      AJ

Example:
   Value        Encrypted Value (With checksum)
    100      AA1
    301      A64
    402      AJ6

The example above adds up all the numbers as a checksum
        301 is 3 + 0 + 1 = 4

Thus when AA is unencrypted back to 100 it can be verified by the
checksum of 1.
Using easy checksum for explanation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If the user/attacker modifies the encrypted value from A6 to A4 it might
be decoded to 146 (or any other sequential value). By adding the
checksum, of the unencrypted value, you would verify the correctness of
the value.
Now as each value is decrypted, and one of these values do not verify
correctly, it means someone tampered with it. And thus one can log this
to a log somewhere. If you use Java script on the Client Side, it does
take a bit to get used to not using plain numbers, but rather the
encrypted values.

The problem with Hashing the numbers together on the Client Side, is
that the Code (if in Java Script) could still be modified by the
attacker, and sent back.

Regards
  Anton



-----Original Message-----
From: billy.sailing () gmail com [mailto:billy.sailing () gmail com]
Sent: 07/21/2006 07:31
To: webappsec () securityfocus com
Subject: Protecting posted variables

Hey all,



A 'fixing the problem question'...



Outside of encrypting in SSL, how can variables being posted from the
browser back to the server be protected from prying eyes?


Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing,
Advanced Automated Capabilities for Penetration Testers, PCI Compliance
Reporting, Token Analysis, Authentication testing, Automated JavaScript
execution and much more.
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: