Hi Billy
On web sites where I have worked on before I encrypt the variables sent
to the browser on the Server. The variables can be salted with the
Session or User ID. This would mean, that the values can not be used
between sessions and other users.
What I did was used RC4 Like encryption (with a checksum). The checksum
was important to verify that the unencrypted value is correct. This is
necessary for sequential numbers (when using Primary Keys in most DB's).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Example:
Value Encrypted Value (No checksum)
100 AA
300 A6
400 AJ
Example:
Value Encrypted Value (With checksum)
100 AA1
301 A64
402 AJ6
The example above adds up all the numbers as a checksum
301 is 3 + 0 + 1 = 4
Thus when AA is unencrypted back to 100 it can be verified by the
checksum of 1.
Using easy checksum for explanation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the user/attacker modifies the encrypted value from A6 to A4 it might
be decoded to 146 (or any other sequential value). By adding the
checksum, of the unencrypted value, you would verify the correctness of
the value.
Now as each value is decrypted, and one of these values do not verify
correctly, it means someone tampered with it. And thus one can log this
to a log somewhere. If you use Java script on the Client Side, it does
take a bit to get used to not using plain numbers, but rather the
encrypted values.
The problem with Hashing the numbers together on the Client Side, is
that the Code (if in Java Script) could still be modified by the
attacker, and sent back.
Regards
Anton
-----Original Message-----
From: billy.sailing@gmail.com [mailto:billy.sailing@gmail.com]
Sent: 07/21/2006 07:31
To: webappsec@securityfocus.com
Subject: Protecting posted variables
Hey all,
A 'fixing the problem question'...
Outside of encrypting in SSL, how can variables being posted from the
browser back to the server be protected from prying eyes?
Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
-------------------------------------------------------------------------
Sponsored by: Watchfire
AppScan 6.5 is now available! New features for Web Services Testing,
Advanced Automated Capabilities for Penetration Testers, PCI Compliance
Reporting, Token Analysis, Authentication testing, Automated JavaScript
execution and much more.
Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------
