Re: URL Decryption

["Matt Fisher" <mattfisher () comcast net>]

AFAIK , both .net and 3.0 provide html and urlencode capabilities, but just
because its done in an .asp or .aspx doesn't mean it has to be done using
the ASP 3.0 or .Net object model; its trivial to find / buy a COM object
that provides hashing and encryption capabilities, and use its capabilities
within your page.

Dont rule out someone "trying their hand" at their own encryption (or at
least, obfuscation) either.



----- Original Message ----- 
From: "Shyam Manohar" <apptester2004 () yahoo com>
To: <webappsec () securityfocus com>
Sent: Friday, June 18, 2004 7:03 AM
Subject: URL Decryption


> Hi List,
> I would like to know if there is any functionality provided by ASP to
> decrypt a URL within the web application?
> Looks like the application itself is using some API to encrypt the URL
> since there isn't any client side code that encrypts the URL.
> In the HTML that is rendered, I have encountered something like this
> <div id="accmenu" style="display: none; height: 15;">
> <table style="font-weight: bold" border=0>
>  <tr>
>    <td width='0'></td>
>    <td class='down'>
>     <a
href='http://IPAddress:80/SRVR?&PARAM1=004Z45A4QR9j3/GgN8cnOoUifsLIrs4T8jy8/
vKAkY/iO14s/EBVb35m//7NnKSt1zfBjuDJ4XT4C&IWP2=005Z137A4QR/j3PXt00wpzsM1m3RCU
uXVVP8gRPDZF51ti1yhPQmV7taN5EXDpp74V6SAQamCzk9oWXsE20sAOrI/e0jcULXTneYtlpzad
QGyzCOHIchapRl87eAqyz0+QW0dgDbKbtBs/Fm2y5PmFGYWp6WxnOudV1O0PMQVM&U1=004Z1066
np3gzhNtT0dfI4P2vMUZNwmHQIEyLoAPslfwoM4cWnEock5k//sNc/ZsvzqEdvCZ/nX5/yJtwhEX
IJTeYC+fql+JN89bIrhr5hbHiUMA0ZIlRu/9ebZnl/f/LZJiRjnN0L'
>     target="vkgbody" >MenuItemName</a>
>    </td>
>
> Thanks
> Shyam