|
Hi,
We are trying to do the URL encryption on all pages in our web application to prevent user modifying query string to do parameter tampering attacks. If we are building all URLs on the server side we certainly do not have any problems.
But our application has many needs to build the URL dynamically on client side in JavaScript. So the problem we are facing is how to encrypt URL build in the JavaScript since anything you do in the JavaScript is no secret.
Anybody has a solution to this problem? Thanks!
Sindy
-- modified at 14:20 Thursday 8th February, 2007
|
|
|
|
|
Why not use SSL, TLS etc?
The only content that the server cannot encrypt are the ones that are in the control of the browser or entered by the user. If the user puts in enough effort, he can modify it, if the encryption is done at the client. Why? because he has the algorithm code, the key and the data. He just needs to modify the data and send it.
I am guessing that you are doing some validation in Javascript on the client, and don't want to duplicate the effort on the server. If this is the case, it is a bad idea to start with. All user entered data that comes into your web application MUST be sanitized on the server. The javascript part can be retained to reduce round trips everytime there is an error.
Thomas
modified 29-Aug-18 21:01pm.
|
|
|
|
|
http://home.versatel.nl/MAvanEverdingen/Code/
This site has javascript code to encrypt using a few algorithms. An idea would be to send a different key from the server with every session. But, the key can be extracted easily at the client side, and used to submit modified URLs in the same session.
Thomas
modified 29-Aug-18 21:01pm.
|
|
|
|
|
I agree this is a bit of a bad design, but if it must be done get on the Ajax bandwagon! Create a server-side method to be called via Ajax that will take some information and encrypt it into a URL, that way none of the encryption logic is on the client. Having said that, if the information needed to create the URL is sensitive this will expose it in the Ajax request, so not such a great idea.
|
|
|
|
|
Why not just validate user input?
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Thanks guys for all the responses!
Now I think about this, it seems the only way to solve this parameter tampering attack problem is to validate all user input.
Using SSL won't help to prevent parameter tampering because in this case the attacker is not someone who tries to intercept the data between end user and the server. The attacker is a valid user who just tries to gain access to certain data he does not have right to.
Using URL signing/encryption can work only if ALL the URLs can be built in the server side when the page is rendered.
Anything done in JavaScript including JavaScript encryption, hashing or Ajax + WebService call as Badgrs suggested can be accessed and used by the attacker. A simple test would be putting "javascript:SomePageJavaScript(some_param…)" in the browser's address bar you can see user can run any functions that the current page has access to.
Sindy
|
|
|
|
|
I am a newbie, so excuse my lack of knowledge. Long ago, a couple years I wrote a very basic web page to hit a local server. When I try to open the project, located on the server I get an error
"Unable to open Web Project "XXX". The file path "w:\inetpub\wwwroot" does not correspond to the URL "http://LocalHost:XXX" the two need to map to the same server location. HTTP Error 404: Object Not Found"
I recall setting someting up long ago with IIS... as I mention it has been a long time since I have looked at this, can anyone point me in the right direction?
Thanks in advance
|
|
|
|
|
i think you have store the prject in the default root directory i.e wwwroot
check the home directory settings of the IIS in its properties or
create a virtual directory and store the project in it Might helpfull
<l>Thanks and Regards
Sandeep
|
|
|
|
|
Hi,
Generally what this script does is gets dates input by a user and then redirects to another page to get values from a mysql database where the dates match those input. My problem is that when you go back to change the dates the infromd and indepartd lists are blank rather than having them populated with the previously selected months values. (The selected months are still selected!). Would be greatfull for any help.
<br />
<br />
function daysInMonth(month,year) {<br />
var dd = new Date(year, month, 0);<br />
return dd.getDate();<br />
}<br />
<br />
<br />
function change1(month,list)<br />
{ <br />
if(list == "infromm")<br />
var fromlist = document.emuas.infromd;<br />
else if(list != "infromm")<br />
var fromlist = document.emuas.indepartd;<br />
<br />
fromlist.options.length=0;<br />
var days = daysInMonth(month, 2007);<br />
for(i=1;i<(1+days);i++){<br />
fromlist.options[i] = new Option(i,i,false,false);<br />
}<br />
}<br />
(in the body tag and in a form called emuas)<br />
<select name="infromd" id="infromd" class="trans" title=""><br />
<br />
</select><br />
<br />
/<br />
<select class="trans" name="infromm" title="" onchange="change1(this.selectedIndex,this.name)"> <br />
<option value="00">Month</option><br />
<option value="1">Jan</option><br />
...etc<br />
<option value="8">Aug</option><br />
<option value="9">Sep</option><br />
<option value="10">Oct</option><br />
<option value="11">Nov</option><br />
<option value="12">Dec</option><br />
</select><br />
<div class="select2"><span>Depart:</span></div> <br />
<select class="trans" id="indepartd" name="indepartd" title=""><br />
<br />
</select><br />
/<br />
<select class="trans" name="indepartm" title="" onchange="change1(this.selectedIndex,this.name)"><br />
<option value="00">Month</option><br />
<option value="1">Jan</option><br />
....etc<br />
<option value="12">Dec</option><br />
</select><input type="submit" name="Submit" value="Submit" /></form>';<br />
<br />
Thanks
Nicky
|
|
|
|
|
Hi, I just wrote some javascript codes to move a div object by mouse-moving.
But the smoothness of the moving is not perfect.
I can correct this problem in IE by using setCapture & releaseCapture functions,
but I can't in firefox.
If anybody knows how to fix that problem, then help me.
Thank you.
The following code is the code I mentioned.
<html>
<style>
.Obj
{
width:100px;
height:100px;
background:red;
position:absolute;
z-index:100;
};
</style>
<script>
var bFlag = false;
var offsetX, offsetY;
function fnInit()
{
div1.addEventListener("mousedown", fnDown, false );
div1.addEventListener("mouseup", fnUp, false );
div1.addEventListener("mousemove", fnMove, false );
}
function fnDown()
{
bFlag = true;
offsetX = arguments[0].clientX - parseInt(div1.style.left);
offsetY = arguments[0].clientY - parseInt(div1.style.top);
}
function fnUp()
{
bFlag = false;
}
function fnMove()
{
if(bFlag)
{
div1.style.left = arguments[0].clientX - offsetX;
div1.style.top = arguments[0].clientY - offsetY;
}
}
</script>
<body onload="fnInit()">
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<p>asdlfj lfkasdlfkj aslkjasdlf; asdklfj asdlfkj </p>
<input type="text" id = "txt1" />
<div class="Obj" id = "div1" style="{left:20;top:50;}"></div>
</body>
</html>
|
|
|
|
|
Hi All
I need some help. I'm not to clued up on this topic.
I have writen a web service that performs as I need it. ( On my development machine XP) when I install the web service on a clients machine (XP) the web service install correctly with the install program but when I try to edit my web.config file via my web service I get access denied. I can set the security settings when the machine is part of a domain. But this needs to happen automatically. I can not set the securtiy settings (dont know how) when the machine is not part of the domain.
Help in this regard will be much appreciated.
Kind regards
|
|
|
|
|
you rewrite the web.config as environment.config.current and use that one for making any changes
<l>Thanks and Regards
Sandeep
|
|
|
|
|
hi !!
I'hv scroll bar with tag.
I can capture the onscroll event and also get scroll value on runtime.
but I am not able to set Min and Max value, smallchange and large change
for scroll bar.
Pl. help me out
Shital
|
|
|
|
|
<link rel="stylesheet" type="text/css" href="mlogic.css" />
When I add this line to an XHTML transitional page, I get the following error:
end tag for element "HEAD" which is not open.
document type does not allow element "BODY" here.
when I validate with the w3c XHTML validator at http://validator.w3.org/[^]
If I remove the line, the errors are gone.
The document looks like:
<br />
<?xml version="1.0" encoding="utf-8" ?><br />
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"<br />
"http://www.w3.org/TR/html4/loose.dtd"><br />
<html><br />
<head><br />
<title>Welcome to Micrologic Networks</title><br />
<link rel="stylesheet" type="text/css" href="mlogic.css" /><br />
</head><br />
modified 29-Aug-18 21:01pm.
|
|
|
|
|
I found the answer. In XHTML,
<br />
<link rel="stylesheet" type="text/css" href="mlogic.css" /> should be replaced by
<link rel="stylesheet" type="text/css" href="mlogic.css">
modified 29-Aug-18 21:01pm.
|
|
|
|
|
That isn't Valid Xhtml
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
|
From the W3c:
(note that this is not the case with XHTML).
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Exactly, but it still gives an error. As you said, a problem with the validator. I started writing XHTML today; are there any better validators?
Thomas
modified 29-Aug-18 21:01pm.
|
|
|
|
|
Not that I have come across. The best way to write Valid Xhtml is to take full advantage of layout. Be VERY strict about tabs and things like that. Pretend you are writing XML (Which you essentially are). Dreamweaver has a reasonably good tool, but I would not rely on it.
Another good posibility are the many firefox addons. These are free and often quite good.
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
The w3c doesn't know what it is doing.
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
You're trying to validate a HTML 4 document. For XHTML start with:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Try validating after this change.
|
|
|
|
|
Thank you
modified 29-Aug-18 21:01pm.
|
|
|
|
|
|
There is a MySQL ADO.NET library available on the MySQL site, with that you won't need ODBC at all.
Find it here
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
