WebApp Sec mailing list archives
Re: Encrypted URL
From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Fri, 30 Jan 2004 17:28:36 -0800
other handlers like modphp, and vice-versa. I though that this is anyway a good way to prevent a lot of webapps parameter attacks, but the better protection stills being use good programming practices. =]
I've not been following this thread closely, but that last comment is critical in my opinion. Parameters in URLs typically shouldn't contain sensitive information (if they need to, then encrypting the params is required) and checking the validity of all URL requests is critical. After all, it's possible your own program is creating invalid parameter values from time to time, so being encrypted shouldn't be mistaken to mean it's valid (you can encrypt a virus, for example, and the virus is still a problem once it's decrypted again), so it makes more sense to program defensively WHENEVER it comes to receiving data from an external source. The largest security hole in all applications is their failure to check parameters as they enter an application's domain. So, encrypting to keep sensitive information from prying eyes is wise, but it shouldn't be used to imply that the data within is valid. For one thing, applications do change over time, so a valid URL one day may not be valid after an upgrade. David
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
(Thread continues...)