Re: Encrypted URL

["Daniel Souza" <daniel () cidadedodireito com br>]

another way to implement this can be as apache module, that can
transparently decrypt the data passed by HTTP sessions to the
other handlers like modphp, and vice-versa. I though that this is anyway a
good way to prevent a lot of webapps parameter attacks,
but the better protection stills being use good programming practices. =]

----- Original Message ----- 
From: "Ulf Härnhammar" <Ulf.Harnhammar.9485 () student uu se>
To: "lupin" <lupin9809 () hotmail com>
Cc: <webappsec () securityfocus com>
Sent: Friday, January 30, 2004 12:09 PM
Subject: Re: Encrypted URL


Quoting lupin <lupin9809 () hotmail com>:

> I've seen a couple highly secure Web Application that use encrypted url.
http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c
> What is you point of view? Do you think it will help to prevent all the
> parameter attack (XSS, SQL inj. etc...)?

It might prevent a few things, but it certainly won't prevent all parameter
attacks.

In many systems, users submit data to the web application. To do this, we
must
either (a) send it as unencrypted data, (b) use a wellknown encryption
system
such as HTTPS, or (c) invent our own encryption system, which must then be
transmitted to the user (as JavaScript or similar code) in order to use it.
In
all three cases, the user is fully aware of the method's all details, and
can
write clients that will send in arbitrary malicious data to the web
application,
using the method.

-- 
Ulf Härnhammar
 student, Uppsala universitet
 redaktör, idiosynkratisk (
http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )