WebApp Sec mailing list archives
Re: Encrypted URL
From: "B. Johannessen" <bob () h db org>
Date: Fri, 30 Jan 2004 14:09:51 +0000
lupin wrote:
I've seen a couple highly secure Web Application that use encrypted url. Actually they encrypt the parameter query string. Example URL: http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c6.... I think this is a great way to protect against parameter tampering attacks.Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot?
If all you're looking for is protection against query string/ post data "tampering" just signing it should be enough. A really simple example in PHP (untested): ------------------------------------------------------------ <?php $secret = 'known-only-to-your-server'; $value = 'tamper-proof-value'; $sign = md5($secret . $value . $secret); ?> <input type="hidden" name="value" value="<?=$value?>"> <input type="hidden" name="sign" value="<?=$sign?>"> ------------------------------------------------------------ Then when you receive the data, just reverse the procedure: ------------------------------------------------------------ <?php $secret = 'known-only-to-your-server'; $value = $_REQUEST['value']; $sign = $_REQUEST['sign']; if($sign != md5($secret . $value . $secret)) { echo 'forget it!'; exit; } ?> ------------------------------------------------------------ If I remember correctly, Sverre H. Huseby talks about techniques like these in "Innocent Code" (ISBN: 0470857447). I would highly recommended that book to anyone interested in webapp security. Bob -- -=[ B. Johannessen | bob () db org -=- http://db.org/ | +4797152009 ]=- -=[ Mail & Spam - News, Drafts & Standards - http://db.org/blog/ ]=- -=[ On the Origin Of Spam: Spam Statistics - http://db.org/spam/ ]=-
Current thread:
- Encrypted URL lupin (Jan 30)
- Re: Encrypted URL Jeff Williams @ Aspect (Jan 30)
- Re: Encrypted URL Thomas Chiverton (Jan 30)
- Re: Encrypted URL Adam Tuliper (Jan 30)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
(Thread continues...)