WebApp Sec mailing list archives
RE: Encrypted URL
From: "Bryan Murphy" <murphy () sigilstudios com>
Date: Fri, 30 Jan 2004 09:02:59 -0500
It all depends on the language you are writing in. ColdFusion provides this functionality in the encrypt() and decrypt() functions. If the language you code in doesn't have it built in I'm sure you could find (or make) your own User Defined Functions that give the same end result. Its best to store the key/salt in a session (server side) variable of some sort. Hope this helps. -----Original Message----- From: lupin [mailto:lupin9809 () hotmail com] Sent: Friday, January 30, 2004 5:29 AM To: webappsec () securityfocus com Subject: Encrypted URL I've seen a couple highly secure Web Application that use encrypted url. Actually they encrypt the parameter query string. Example URL: http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/app l?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f3879666 2113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d30303436313 82c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c30 2a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e363111 3e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030 343631382c I think this is a great way to protect against parameter tampering attacks. Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot? What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)? Thanks a lot for your response in advance.
Current thread:
- Encrypted URL lupin (Jan 30)
- Re: Encrypted URL Jeff Williams @ Aspect (Jan 30)
- Re: Encrypted URL Thomas Chiverton (Jan 30)
- Re: Encrypted URL Adam Tuliper (Jan 30)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
(Thread continues...)