You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Michael Bierenfeld <mi...@atmiralis.de> on 2000/09/15 15:05:33 UTC
Off topic but imho important
Hello out there,
I am having the following Problem. We are
currently developing a website where security is
very important. Guess the following situation.
XML - content :
<link
target="http://www.some.site/display_user.xml?id=110">display</link>
transferred to HTML-content
<a
href="http://www.some.site/display_user.xml?id=110">display</a>
The problem is that if the Browser display the
Page coming from Database. No one protects the
application from typing in the LOCATION-BAR :
http://www.some.site/display_user.xml?id=4711
=> user 110 is able to see the vital data from
user 4711. <= IMPOSSIBLE !!!!!
Is there a way to hide the parameters in the
location bar. JavaScript is fine or maybe there is
a apache-setting. In the response Header or so. I
could imagine several ways :
- Using a sessionid and store the values in some
sort of HashTable
- Crypt the parametersvalues and send it together
with a funny hashcode to avoid hits by accident
Sorry for beeing OT.
Kind regards
Michael
Re: Off topic but imho important
Posted by OD <od...@feersumendjinns.com>.
Hi,
Hmm...
Using session tracking via a sessionid will work and, I think, is a fairly
standard way of achieving this.
If you want to use JavaScript to encrypt you parameter values check:
http://pajhome.org.uk/crypt/index.html
http://www.builder.com/Programming/Scripter/013100/ss02.html
Corey O'Donovan
----- Original Message -----
From: Michael Bierenfeld <mi...@atmiralis.de>
To: Cocoon User Mailing List <co...@xml.apache.org>
Sent: Friday, September 15, 2000 2:05 PM
Subject: Off topic but imho important
> Hello out there,
>
> I am having the following Problem. We are
> currently developing a website where security is
> very important. Guess the following situation.
>
> XML - content :
>
> <link
> target="http://www.some.site/display_user.xml?id=110">display</link>
>
> transferred to HTML-content
>
> <a
> href="http://www.some.site/display_user.xml?id=110">display</a>
>
> The problem is that if the Browser display the
> Page coming from Database. No one protects the
> application from typing in the LOCATION-BAR :
> http://www.some.site/display_user.xml?id=4711
>
> => user 110 is able to see the vital data from
> user 4711. <= IMPOSSIBLE !!!!!
>
> Is there a way to hide the parameters in the
> location bar. JavaScript is fine or maybe there is
> a apache-setting. In the response Header or so. I
> could imagine several ways :
>
> - Using a sessionid and store the values in some
> sort of HashTable
> - Crypt the parametersvalues and send it together
> with a funny hashcode to avoid hits by accident
>
> Sorry for beeing OT.
>
> Kind regards
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
> For additional commands, e-mail: cocoon-users-help@xml.apache.org
Re: Off topic but imho important
Posted by Uli Mayring <ul...@denic.de>.
On Fri, 15 Sep 2000, OD wrote:
> Is your auth taglib not up to this Ulrich?
Um, yes :)
It does what I suggested: perform authentication and connect a session to
it. This is still vulnerable to a man-in-the-middle attack and someone
breaking into your webserver. But it's about as much as can be done
without spending serious $$$. You can of course throw some kind of
encryption on top of auth, like md5 or whatever, but in my mind without a
site certicicate this still doesn't protect from man-in-the-middle
attacks.
Ulrich
Re: Off topic but imho important
Posted by OD <od...@feersumendjinns.com>.
Is your auth taglib not up to this Ulrich?
Corey O'Donovan
----- Original Message -----
From: Ulrich Mayring <ul...@denic.de>
To: <co...@xml.apache.org>
Sent: Friday, September 15, 2000 3:34 PM
Subject: Re: Off topic but imho important
> mayring@denic.de wrote:
> >
>
> > The simplest way to hide them is if you use POST instead of GET
> > parameters.
>
> I think I should add this: of course, using POST (or whatever other
> method of hiding the parameters) still does not prevent someone from
> guessing your parameter name. So that alone does not improve security
> very much, you also have to do something like employ an authentication
> scheme and connect a session to it.
>
> Ulrich
>
> --
> Ulrich Mayring
> DENIC eG, Systementwicklung
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
> For additional commands, e-mail: cocoon-users-help@xml.apache.org
Re: Off topic but imho important
Posted by Michael Bierenfeld <mi...@atmiralis.de>.
Ulrich Mayring wrote:
>
> mayring@denic.de wrote:
> >
>
> > The simplest way to hide them is if you use POST instead of GET
> > parameters.
>
> I think I should add this: of course, using POST (or whatever other
> method of hiding the parameters) still does not prevent someone from
> guessing your parameter name. So that alone does not improve security
> very much, you also have to do something like employ an authentication
> scheme and connect a session to it.
>
> Ulrich
>
> --
> Ulrich Mayring
> DENIC eG, Systementwicklung
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
> For additional commands, e-mail: cocoon-users-help@xml.apache.org
Hello,
it is pretty secure in terms of http and
authentification. The whole stuff runs over a
ssl-server with card identification. The ssl-proxy
stores the user identification/hash in the
http-header.
The whole application is a mixture of POST (Forms)
and GETS (urls builded dynamically). So I am realy
thinking to do it like this :
eg. GET-PARAMETERS :
http://www.somesite.com/index.xml?nUser=100&sPassword=honey
will be
http://www.somesite.com/index.xml?nUser=x3z&sPassword=urfnx&sHashCode=7485jgh7
1) Crypt the Parametervalues
2) Send it away whith a HashCode identifying
the original Params and that the url is comming
from a servlet/xsp
eg. POST:
?-) Does not apply :-).
Ill post the code if it is done.
Kind regards
Michael
Re: Off topic but imho important
Posted by Ulrich Mayring <ul...@denic.de>.
mayring@denic.de wrote:
>
> The simplest way to hide them is if you use POST instead of GET
> parameters.
I think I should add this: of course, using POST (or whatever other
method of hiding the parameters) still does not prevent someone from
guessing your parameter name. So that alone does not improve security
very much, you also have to do something like employ an authentication
scheme and connect a session to it.
Ulrich
--
Ulrich Mayring
DENIC eG, Systementwicklung
Re: Off topic but imho important
Posted by Ulrich Mayring <ul...@denic.de>.
michael@atmiralis.de wrote:
>
> Is there a way to hide the parameters in the
> location bar. JavaScript is fine or maybe there is
> a apache-setting. In the response Header or so. I
> could imagine several ways :
The simplest way to hide them is if you use POST instead of GET
parameters. That way someone has to hack your server or do a man in the
middle attack to see them.
Avoiding the man in the middle attack: the only way I see is with site
certificates and https
Avoiding your server is hacked: take it off the Internet or at least use
a well-configured Firewall :-)
There are of course a number of expensive, professional security
solutions as well, like hardware keys that change every minute and such.
Ulrich
--
Ulrich Mayring
DENIC eG, Systementwicklung