I am developing a fat client page based on Javascript that will allow users to carry out tasks outwith another web client application (Oracle Siebel).
The way the web page will be called from the browser will be by a simple window.open() call.
When this happens a URL will be passed which contains some parameters at the end which will change the functionality of the fat client page depending on what value they have.
e.g
userlevel=1 //normal user
userlevel=2 //advanced user
In an example full URL would be like so
www.mypage/index.htm?id=25215125%userlevel=2%context=full
However a user who wants to change their access only need to figure out that if they change their user level then they can change their access rights on this fat client page.
Yes, I know this is risky and before you ask why I am not using a server supported thin client with controls that cannot be altered by the user. I simply have to do it this way!
This system will be in a "trusted" environment and this users will have at best average IT skills.
So all I need to do is figure out a way to obfuscate/ scramble the URL parameters (if possible) and then decipher them at the fat client.
e.g.
www.mypage/index.htm?1sdf908ga90-821098650f8asdg098g0a98
I tested it out on the browser and no plaints so far so I guess I just need to develop a piece of logic to decipher it.
e.g. I could use MD5?
Any examples or ideas?
Thanks
I am developing a fat client page based on Javascript that will allow users to carry out tasks outwith another web client application (Oracle Siebel).
The way the web page will be called from the browser will be by a simple window.open() call.
When this happens a URL will be passed which contains some parameters at the end which will change the functionality of the fat client page depending on what value they have.
e.g
userlevel=1 //normal user
userlevel=2 //advanced user
In an example full URL would be like so
www.mypage./index.htm?id=25215125%userlevel=2%context=full
However a user who wants to change their access only need to figure out that if they change their user level then they can change their access rights on this fat client page.
Yes, I know this is risky and before you ask why I am not using a server supported thin client with controls that cannot be altered by the user. I simply have to do it this way!
This system will be in a "trusted" environment and this users will have at best average IT skills.
So all I need to do is figure out a way to obfuscate/ scramble the URL parameters (if possible) and then decipher them at the fat client.
e.g.
www.mypage./index.htm?1sdf908ga90-821098650f8asdg098g0a98
I tested it out on the browser and no plaints so far so I guess I just need to develop a piece of logic to decipher it.
e.g. I could use MD5?
Any examples or ideas?
Thanks
Share Improve this question asked Mar 12, 2013 at 13:45 tomaytotomatotomaytotomato 4,04817 gold badges70 silver badges128 bronze badges 14- Better for security.stackexchange., if this meets their FAQ. – djechlin Commented Mar 12, 2013 at 13:47
- 4 If the client needs to undo the hash, than anyone can undo the hash. Security on the client is a joke. All of the security should be done on the server. VALIDATE, stuff that only an admin should see should not be there on the page in the first place. – epascarello Commented Mar 12, 2013 at 13:48
- Beware hash collisions. MD5 is a hash, not an encryption. – Dan Pichelman Commented Mar 12, 2013 at 13:50
- 1 He said he was aware that this would still be insecure, he's just looking for basic obfuscation...@loosebruce I'm a little confused about what code you can change. You said you can't modify the server code so how would you decipher the URL? Anyway I'm obviously just misunderstanding...MD5 would probably be your best bet since it's a one-way hash, you just hash the string you want to pare it with also and see if they match. – Matt Browne Commented Mar 12, 2013 at 13:56
- 3 @loosebruce why not just send a spec for the server side team to implement authentication securely? – djechlin Commented Mar 12, 2013 at 14:01
2 Answers
Reset to default 3Try Base64 encoding it. https://stackoverflow./a/4699739/1088652
That'll shorten it and obfuscate it, so that users can't just throw values in the URL.
Params integrity can be ensured with HMAC. You generate hash using secret key and all the params, you include this hash inside of URL, then at server side you generate hash using same params and pare values.
function generateSignature(array $params, $hmacKey)
{
// sort the array by key using SORT_STRING order
ksort($params, SORT_STRING);
$escapeFunc = function ($val) {
return str_replace(':', '\\:', str_replace('\\', '\\\\', $val));
};
// generate the signing data string
$signData = implode(':', array_map($escapeFunc, array_merge(array_keys($params), array_values($params))));
// base64-encode the binary result of the HMAC putation
$merchantSig = base64_encode(hash_hmac('sha256', $signData, pack("H*", $hmacKey), true));
return $merchantSig;
}