WebApp Sec mailing list archives
RE: Protecting posted variables
From: "Damhuis Anton" <DamhuisA () aforbes co za>
Date: Fri, 21 Jul 2006 08:04:45 +0200
Hi Billy On web sites where I have worked on before I encrypt the variables sent to the browser on the Server. The variables can be salted with the Session or User ID. This would mean, that the values can not be used between sessions and other users. What I did was used RC4 Like encryption (with a checksum). The checksum was important to verify that the unencrypted value is correct. This is necessary for sequential numbers (when using Primary Keys in most DB's). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Example: Value Encrypted Value (No checksum) 100 AA 300 A6 400 AJ Example: Value Encrypted Value (With checksum) 100 AA1 301 A64 402 AJ6 The example above adds up all the numbers as a checksum 301 is 3 + 0 + 1 = 4 Thus when AA is unencrypted back to 100 it can be verified by the checksum of 1. Using easy checksum for explanation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If the user/attacker modifies the encrypted value from A6 to A4 it might be decoded to 146 (or any other sequential value). By adding the checksum, of the unencrypted value, you would verify the correctness of the value. Now as each value is decrypted, and one of these values do not verify correctly, it means someone tampered with it. And thus one can log this to a log somewhere. If you use Java script on the Client Side, it does take a bit to get used to not using plain numbers, but rather the encrypted values. The problem with Hashing the numbers together on the Client Side, is that the Code (if in Java Script) could still be modified by the attacker, and sent back. Regards Anton -----Original Message----- From: billy.sailing () gmail com [mailto:billy.sailing () gmail com] Sent: 07/21/2006 07:31 To: webappsec () securityfocus com Subject: Protecting posted variables Hey all, A 'fixing the problem question'... Outside of encrypting in SSL, how can variables being posted from the browser back to the server be protected from prying eyes? Confidentiality Warning ======================= The contents of this e-mail and any accompanying documentation are confidential and any use thereof, in what ever form, by anyone other than the addressee is strictly prohibited. ------------------------------------------------------------------------- Sponsored by: Watchfire AppScan 6.5 is now available! New features for Web Services Testing, Advanced Automated Capabilities for Penetration Testers, PCI Compliance Reporting, Token Analysis, Authentication testing, Automated JavaScript execution and much more. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc -------------------------------------------------------------------------
Current thread:
- Protecting posted variables billy . sailing (Jul 20)
- Re: Protecting posted variables Serg B. (Jul 21)
- RE: Protecting posted variables Andrew Chong (Jul 21)
- Re: Protecting posted variables mikeiscool (Jul 21)
- Re: Protecting posted variables Rogan Dawes (Jul 21)
- RE: Protecting posted variables Debasis Mohanty (Jul 21)
- Re: Protecting posted variables Meder Kydyraliev (Jul 21)
- Re: Protecting posted variables Brian Rectanus (Jul 21)
- <Possible follow-ups>
- RE: Protecting posted variables Damhuis Anton (Jul 21)