Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

protecting a Web server by signing every URL

13 views
Skip to first unread message

Lone Droid

unread,
Sep 14, 2003, 12:08:30 PM9/14/03
to
Hi all c.s.misc'ers,

I posted a message a few days ago to comp.lang.java.programmer
but I didn't get any replies so I try here, I hope it's not
too much offtopic...

It's about a technique I would call "URL signing" that is really
easy to implement on any Java Web application server using a
"clean" design (like, amongst other things, having every single
request going through a controller firt, then getting dispatched).

But it should be easy to implement on a lot of other different
Web servers.

This technique works, and it works pretty well. It is currently
in use on a production server. What I would like to know is what
is the name of this technique and where/who described it / used
it before.

It is really the first thing I thought of when my client asked
me to protect about the more common Web server vulnerabilities,
I am surprised that I cannot find any informations regarding this
technique on the Net (I googled and groups.googled...).

Below is the message I posted to comp.lang.java.programmer...


Hi all,

To secure the WebApp server of one of my client who was
really concerned about various security issues, I devised
a nice cute little "hack" which I would call "URL signing".

Every single request goes to a front controller servlet
which then dispatch to the correct jsp page (after the
business logic has prepared all the results bean).

Every single link in any of the jsp page transmitted to
the client is generated with a checksum that act as a
signature for the URL, like this (this example is not
precisely how I did it, it's just to show how it works) :

http://somesite.com/dispatch?act=multi&resultSet=9931578&pageNumber=2&chk=IFu-eA0FWSw_j3lE

If a user tries to modify a single character in the URL
from his browser, then the front controller servlet will
dispatch to a special page indicating that URL has been
"faked" and fill the logs accordingly.

In a way it is "overkill" when using a Java-only WebApp
server (which is inherently imune to buffer overflow and
I hardly imagine some Java WebApp programmer allowing SQL
injection in the URL :)

But, still, it's a nice additionnal layer of protection.

Of course, for POSTed request it's different : the
checksum still applies (the way I did it), but only on
the parameters that the user can not modify.

The other parameters are then checked for validity too,
using the "normal way".

Then again, the way I designed the WebApp, not a single
of the "sensitive" page (page doing query on sensitive
datas) can be accessed using POST, but only using GETs.

So what this technique bring is : 100% protection for
every single GET request and partial protection for
POST requests...

The partial protection for POST is a really good safety
net : imagine you have an hidden form field with the
value "admin=no" (I wouldn't encourage anyone to show such
an obvious field with such an obvious name/meaning in a URL
though), well... If the URL is signed, the hypothetical
attacker simply cannot change it to "admin=yes"...

I don't advocate on relying on this technique alone to
secure a Web server, but I think it's a nice *additionnal*
layer of protection.

Have you ever heard of a term coined to describe this ? Have
you a ever heard of a Web server (Java or other, Open Source
or commercial, etc.) doing anything similar ? Any links ?

Thanks for comments and excuse my "french",

Lonedroid

Erik Mannergren

unread,
Sep 16, 2003, 4:51:05 AM9/16/03
to
Hi!

I haven't heard of the technique but it sounds good.

How do you implement the checksum? If you have a static checksum function
(that doesn't add random data or time data to the url) it might cause a
security-problem. In this case it shouldn't be to hard for an attacker to
reproduce your checksum function by looking at the checksums for different
links in your HTML-code and use it to modify the URLs and corresponding
checkskums.

/Erik

.merlin

unread,
Sep 19, 2003, 2:53:16 AM9/19/03
to

Hi !

That technique is described in a web applications security book. I dont
have reference right here at work but it is form the same authors as
"hacking proofing web applications" series.

If I remember well, the exact term is 'URL Tampering'. This relies on a
md5 hash made of two informations :

- the get/post data (usually the get data)
- the local server initialization key (which can be a single string of for
example 10-20 characters.

A hash is computed within both values and added to the url. This gives
the url the same level of integrity than for a md5 hash itself.

If you even want a higher security level , you can even timestamp your
hash or make the server key regularly regenerated during its application
life cycle.

For your question about implementing it in other languages or frameworks,
there s strictly no constraint for this, everyone can use it as it is only a
'specification' ; )

I am currently implementing this library on the otnet framework, if you
are doing the same in java, that would be interresting to share those
implementations here or even on a website. Up 2 u.

regards,

.merlin

0 new messages