protecting Web server by URL signing

L

Lone Droid

Hi all,

To secure the WebApp server of one of my client who was really
concerned
about various security issues, I devised a nice cute little "hack"
which
I would call "URL signing".

Every single request goes to a front controller servlet which then
dispatch
to the correct jsp page (after the business logic has prepared all the
results bean).

Every single link in any of the jsp page transmitted to the client is
generated with a checksum that act as a signature for the URL, like
this (this example is not precisely how I did it, it's just to show
how it works) :

http://somesite.com/dispatch?act=multi&resultSet=9931578&pageNumber=2&chk=IFu-eA0FWSw_j3lE

If a user tries to modify a single character in the URL from his
browser,
then the front controller servlet will dispatch to a special page
indicating that URL has been "faked" and fill the logs accordingly.

In a way it is "overkill" when using a Java-only WebApp server (which
is
inherently imune to buffer overflow and I hardly imagine some Java
WebApp
programmer allowing SQL injection in the URL :)

But, still, it's a nice additionnal layer of protection.

Of course, for POSTed request it's different : the checksum still
applies
(the way I did it), but only on the parameters that the user can not
modify.

The other parameters are then checked for validity too, using the
"normal
way".

Then again, the way I designed the WebApp, not a single of the
"sensitive"
page (page doing query on sensitive datas) can be accessed using POST,
but
only using GETs.

So what this technique bring is : 100% protection for every single GET
request and partial protection for POST requests...

I don't advocate on relying on this technique alone to secure a Web
server,
but I think it's a nice *additionnal* layer of protection.

Have you ever heard of a term coined to describe this ? Have you a
ever
heard of a Web server (Java or other, Open Source or commercial, etc.)
doing anything similar ? Any links ?

Thanks for comments and excuse my "french",

Lonedroid




P.S. :

I used an homemade "Base64-like" (but not Base64 compliant) encoder as
you may have noticed so
my checksum can be represented using URL friendly characters (instead
of using "+" and "/" like Base64, I used "-" and "_"... I don't need
any character for the padding as I reconstruct it myself).

In the example above the cryptographic checksum is only 96 bits long
but
I may make it longer if my client is concerned about someone brute
forcing
the checksum to change some parameters (which may happen, the client
wanted
the WebApp server behind an OpenBSD firewall/masquerader (!) then I
proposed
him a totally invisible snort sniffer using a one-way only RJ45
cable...
He was delighted to know such a thing could be made !. The guy is
paranoid :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top