Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / November 2006

Tip: Looking for answers? Try searching our database.

Simple URL encoding technique?

Thread view: 
Enable EMail AlertsStart New Thread
David Segall - 12 Nov 2006 15:14 GMT
My JSP application asks users to visit a web site with a URL of the
form <www.example.com?column=100&row=200>. This makes it far too easy
for an intruder to derive a different column and row that may yield a
real location to which they should not have access. Is there an
existing method that can "obfuscate" (and de-obfuscate) the column and
row number. It is easy to concatenate the row and column numbers if
that is a desirable first step. I don't need a high level of security
because the there is nothing of real value at the destination; I just
want to foil a casual vandal.
Reply to this Message
Arne Vajhøj - 13 Nov 2006 03:46 GMT
> My JSP application asks users to visit a web site with a URL of the
> form <www.example.com?column=100&row=200>. This makes it far too easy
[quoted text clipped - 5 lines]
> because the there is nothing of real value at the destination; I just
> want to foil a casual vandal.

1)  you can left zero pad to 4 digits and concatanate 100 and 200
    to "01000200", which you can then 3DES or AES encrypt with a
    secret key and hexify - and dehexify and decrypt again

2)  but you should really implement security instead of obscurity -
    you should validate a users access to data when it is submitted

Arne
Reply to this Message
David Segall - 13 Nov 2006 16:02 GMT
>> My JSP application asks users to visit a web site with a URL of the
>> form <www.example.com?column=100&row=200>. This makes it far too easy
[quoted text clipped - 9 lines]
>     to "01000200", which you can then 3DES or AES encrypt with a
>     secret key and hexify - and dehexify and decrypt again
Thanks Arne. Hexify(column * 16384 + row) will do nicely. I don't
think I need the encryption. Is there a "standard" routine to convert
an integer to a hexadecimal string and back?

>2)  but you should really implement security instead of obscurity -
>     you should validate a users access to data when it is submitted
The application is comparable to "click on this link to confirm your
subscription". I don't want to inconvenience the user by requiring
extra information but I also want to minimise the possibility that one
user can derive valid parameters that belong to someone else.
Reply to this Message
Arne Vajhøj - 14 Nov 2006 01:24 GMT
>>> My JSP application asks users to visit a web site with a URL of the
>>> form <www.example.com?column=100&row=200>. This makes it far too easy
[quoted text clipped - 11 lines]
> think I need the encryption. Is there a "standard" routine to convert
> an integer to a hexadecimal string and back?

   int iv = 123;
   String sv2;
   sv2 = Integer.toHexString(iv);

and

   String sv = "7b";
   int iv2;
   iv2 = Integer.parseInt(sv, 16);

are two possibilities.

>> 2)  but you should really implement security instead of obscurity -
>>     you should validate a users access to data when it is submitted
> The application is comparable to "click on this link to confirm your
> subscription". I don't want to inconvenience the user by requiring
> extra information but I also want to minimise the possibility that one
> user can derive valid parameters that belong to someone else.

Your app => your choice.

Arne
Reply to this Message
Manish Pandit - 13 Nov 2006 03:51 GMT
One option is to use Post, where the parameters are not visible as a
part of the URL. But using post for "getting" information is not
generally recommended.

Another option (which makes more sense) is to use something like a GUID
to identify the column/row, or at lease one of the two. This maintains
the "use Get to get data" theory, as well as hides a good part of your
query.

-cheers,
Manish
Reply to this Message
Juha Laiho - 13 Nov 2006 17:02 GMT
David Segall <david@address.invalid> said:
>My JSP application asks users to visit a web site with a URL of the
>form <www.example.com?column=100&row=200>. This makes it far too easy
>for an intruder to derive a different column and row that may yield a
>real location to which they should not have access. Is there an
>existing method that can "obfuscate" (and de-obfuscate) the column and
>row number.

You could add a checksum of some kind, calculated from the public
data and a piece of private data (which is not exposed to the
end user). This would change your links to form resembling this:
http://www.example.com?column=100&row=200&auth=ffd5d4cba3bbf0f8c49e7e503984054c
... and there would be no practical way to generate the correct
"auth" for given row&column values.

The "auth" string could be f.ex. a MD5 hash of a string containing
the row and column numbers _and_ a secret key known only to your
server (something like 200 bytes of random data, or perhaps just
a passphrase -- whatever, as long as it is impossible to guess
by the end user). Upon receiving the request, you do the same
calculation as you did when generating the link, and if the "auth"
codes match, you allow the access - otherwise deny.

>It is easy to concatenate the row and column numbers if
>that is a desirable first step. I don't need a high level of security
>because the there is nothing of real value at the destination; I just
>want to foil a casual vandal.

The above is not hard to implement, and it's far more than just
foiling the occasional vandal. As for ssecurity of MD5, it should
be completely adequate for this use -- the faults found in it
are for other purposes for MD5 (it apparently is possible to
easily create two separate documents having the same MD5 checksum,
which was thought to be impossible -- but this weakness doesn't
foil the use described above). And if something happens to render
MD5 truly unusable in every respect, you can always switch into
another hashing algorithm.
Signature

Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
        PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Reply to this Message
Daniel Pitts - 13 Nov 2006 19:03 GMT
> My JSP application asks users to visit a web site with a URL of the
> form <www.example.com?column=100&row=200>. This makes it far too easy
[quoted text clipped - 5 lines]
> because the there is nothing of real value at the destination; I just
> want to foil a casual vandal.

example.com/?id={37*(column + row * numberOfcolumns)}

column = (id / 37) % numberOfColumns
row = id / 37 / numberOfColumns

where 37 is any number, although, a prime number is best.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.