As I already wrote in my last blog posting named “Secure Data Transfer over HTTP without SSL” I’d like to show you how we can protect our web applications a little bit more then we already but for this time it’s not about filtering, it’s about cryptography and I think this is only the beginning of “crypto-defense” in the field of web application security.
My idea for this time was, to prevent attacks like XSS, directory traversal or SQL-Injection or better to say weak input validation attacks at all. Of course I didn’t find a way how to prevent all of this attacks but some of them which’s at least a step in the right direction.
Think about a navigation on a website where the first link points to /index.php?site=1, the second to /index.php?site=2 and so on. There an attacker can try for example:
/index.php?site=”><script>alert(document.cookie);</script>
/index.php?site=1 or 1=1
/index.php?site=../../../../../../../etc/passwd
All of the URL listed above are potentially dangerous and we shouldn’t allow such stuff. The normal approach we all know is now to filter the values we get on the server side but then still attacks like authentication bypassing could be possible if we just try integer 1-100 for the variable called “site” and that’s why I think my approach which’s based on cryptography would be interesting, so here it is.
First you can have a look at my small POC of the idea:
POC / Source
What we do here is very simple, we just have a function for en-/decryption on the server side where we use a secret identification phrase and the name of the site we want to link for encryption and when we decrypt this value again, we just strip this identification phrase and so the client will never see where a link points to. For now we have security by obscurity? No we haven’t, just have a look at the following examples:
Modified value at beginning of the value (d -> e)
Here we modified the encrypted value and because if we decrypt, the identification phrase wouldn’t be the same as before, we know that the value was modified and this is also the protection mechanism against the described attacks above.
Hope you get the point of the idea 
PS: As you might know, I’m not a crypto guy at all and so you’ll see that it’s possible to modify the value of my POC at the end and then you wouldn’t get an error. I’ve already sent a description of this problem to a guy I know who’s a real crypto brain and as soon as I’ve got a better method for the encryption, I’ll post it here again of course. Anyway, the method works and so we just have to find a better encryption algorithm.
4 Comments to “Protect your Web Applications through Encryption”
- 1 Pingback on Jun 2nd, 2007 at 5:40 pm
Nice article! Since you’re talking about Encryption in URLs, I thought I wanted to make you aware that we believe just the same at Visonys AG: URL Encryption is going to be a standard in the future for secure web applications.
My intention here is to give you a pointer to visonysAirlock, which uses advanced URL encryption and encryption based form protection.
Hello Sven
That idea has already been implemented in several Web Application Firewalls, i.e. firewalls designed to protect everything transferred through HTTP/HTTPS. For instance, USP Secure Entry Server allows URL and/or parameter and/or value encryption. You might already have seen such “encrypted” URLs. One problem is the lifetime of the keys (the secret identification phrase as you named them) used to encrypt URL, parameters and values: From a crypto perspective they should be short lived and user/session specific but then you run into problems with bookmarks that are used after the key has expired.
Just as I’ve already mentioned in this posting, encryption’s a good thing but only for protect confidentiality and NOT integrity. As you hopefully have seen, I already wrote in this posting what the problems are with integrity checking through encryption. This can’t work because you have stream- and block-cypher algorithms and both of them can’t do that for us so this is why I’ve worked again on this and wrote my last posting “Crypto Defense for Web Applications – Today, the HMAC” where this is fixed and of course as I already wrote in my comment there you can afterwards also encrypt it if you’d like to do that