WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Encrypted URL

From: "Bryan Murphy" <murphy () sigilstudios com>
Date: Fri, 30 Jan 2004 09:02:59 -0500
It all depends on the language you are writing in.  ColdFusion provides
this functionality in the encrypt() and decrypt() functions.  

If the language you code in doesn't have it built in I'm sure you could
find (or make) your own User Defined Functions that give the same end
result.

Its best to store the key/salt in a session (server side) variable of
some sort.

Hope this helps.

-----Original Message-----
From: lupin [mailto:lupin9809 () hotmail com] 
Sent: Friday, January 30, 2004 5:29 AM
To: webappsec () securityfocus com
Subject: Encrypted URL



I've seen a couple highly secure Web Application that use encrypted url.



Actually they encrypt the parameter query string.



Example URL:



http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/app
l?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f3879666
2113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d30303436313
82c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c30
2a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e363111
3e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030
343631382c



I think this is a great way to protect against parameter tampering
attacks.



Does anybody know more about this technique? Papers etc..? How to
implement it? Google didn't help me a lot?



What is you point of view? Do you think it will help to prevent all the
parameter attack (XSS, SQL inj. etc...)?



Thanks a lot for your response in advance.
Previous By Date Next
Previous By Thread Next

Current thread: