WebApp Sec mailing list archives
Re: Encrypted URL
From: "Daniel Souza" <daniel () cidadedodireito com br>
Date: Fri, 30 Jan 2004 17:39:36 -0200
another way to implement this can be as apache module, that can transparently decrypt the data passed by HTTP sessions to the other handlers like modphp, and vice-versa. I though that this is anyway a good way to prevent a lot of webapps parameter attacks, but the better protection stills being use good programming practices. =] ----- Original Message ----- From: "Ulf Härnhammar" <Ulf.Harnhammar.9485 () student uu se> To: "lupin" <lupin9809 () hotmail com> Cc: <webappsec () securityfocus com> Sent: Friday, January 30, 2004 12:09 PM Subject: Re: Encrypted URL Quoting lupin <lupin9809 () hotmail com>:
I've seen a couple highly secure Web Application that use encrypted url.
http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c
What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)?
It might prevent a few things, but it certainly won't prevent all parameter attacks. In many systems, users submit data to the web application. To do this, we must either (a) send it as unencrypted data, (b) use a wellknown encryption system such as HTTPS, or (c) invent our own encryption system, which must then be transmitted to the user (as JavaScript or similar code) in order to use it. In all three cases, the user is fully aware of the method's all details, and can write clients that will send in arbitrary malicious data to the web application, using the method. -- Ulf Härnhammar student, Uppsala universitet redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )
Current thread:
- RE: Encrypted URL, (continued)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
(Thread continues...)