最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - Obfuscating URL parameters to prevent users from changing them? - Stack Overflow

programmeradmin2浏览0评论

I am developing a fat client page based on Javascript that will allow users to carry out tasks outwith another web client application (Oracle Siebel).

The way the web page will be called from the browser will be by a simple window.open() call.

When this happens a URL will be passed which contains some parameters at the end which will change the functionality of the fat client page depending on what value they have.

e.g

userlevel=1 //normal user

userlevel=2 //advanced user

In an example full URL would be like so

www.mypage/index.htm?id=25215125%userlevel=2%context=full

However a user who wants to change their access only need to figure out that if they change their user level then they can change their access rights on this fat client page.

Yes, I know this is risky and before you ask why I am not using a server supported thin client with controls that cannot be altered by the user. I simply have to do it this way!

This system will be in a "trusted" environment and this users will have at best average IT skills.

So all I need to do is figure out a way to obfuscate/ scramble the URL parameters (if possible) and then decipher them at the fat client.

e.g.

www.mypage/index.htm?1sdf908ga90-821098650f8asdg098g0a98

I tested it out on the browser and no plaints so far so I guess I just need to develop a piece of logic to decipher it.

e.g. I could use MD5?

Any examples or ideas?

Thanks

I am developing a fat client page based on Javascript that will allow users to carry out tasks outwith another web client application (Oracle Siebel).

The way the web page will be called from the browser will be by a simple window.open() call.

When this happens a URL will be passed which contains some parameters at the end which will change the functionality of the fat client page depending on what value they have.

e.g

userlevel=1 //normal user

userlevel=2 //advanced user

In an example full URL would be like so

www.mypage./index.htm?id=25215125%userlevel=2%context=full

However a user who wants to change their access only need to figure out that if they change their user level then they can change their access rights on this fat client page.

Yes, I know this is risky and before you ask why I am not using a server supported thin client with controls that cannot be altered by the user. I simply have to do it this way!

This system will be in a "trusted" environment and this users will have at best average IT skills.

So all I need to do is figure out a way to obfuscate/ scramble the URL parameters (if possible) and then decipher them at the fat client.

e.g.

www.mypage./index.htm?1sdf908ga90-821098650f8asdg098g0a98

I tested it out on the browser and no plaints so far so I guess I just need to develop a piece of logic to decipher it.

e.g. I could use MD5?

Any examples or ideas?

Thanks

Share Improve this question asked Mar 12, 2013 at 13:45 tomaytotomatotomaytotomato 4,04817 gold badges70 silver badges128 bronze badges 14
  • Better for security.stackexchange., if this meets their FAQ. – djechlin Commented Mar 12, 2013 at 13:47
  • 4 If the client needs to undo the hash, than anyone can undo the hash. Security on the client is a joke. All of the security should be done on the server. VALIDATE, stuff that only an admin should see should not be there on the page in the first place. – epascarello Commented Mar 12, 2013 at 13:48
  • Beware hash collisions. MD5 is a hash, not an encryption. – Dan Pichelman Commented Mar 12, 2013 at 13:50
  • 1 He said he was aware that this would still be insecure, he's just looking for basic obfuscation...@loosebruce I'm a little confused about what code you can change. You said you can't modify the server code so how would you decipher the URL? Anyway I'm obviously just misunderstanding...MD5 would probably be your best bet since it's a one-way hash, you just hash the string you want to pare it with also and see if they match. – Matt Browne Commented Mar 12, 2013 at 13:56
  • 3 @loosebruce why not just send a spec for the server side team to implement authentication securely? – djechlin Commented Mar 12, 2013 at 14:01
 |  Show 9 more ments

2 Answers 2

Reset to default 3

Try Base64 encoding it. https://stackoverflow./a/4699739/1088652

That'll shorten it and obfuscate it, so that users can't just throw values in the URL.

Params integrity can be ensured with HMAC. You generate hash using secret key and all the params, you include this hash inside of URL, then at server side you generate hash using same params and pare values.

function generateSignature(array $params, $hmacKey)
{
    // sort the array by key using SORT_STRING order
    ksort($params, SORT_STRING);

    $escapeFunc = function ($val) {
        return str_replace(':', '\\:', str_replace('\\', '\\\\', $val));
    };

    // generate the signing data string
    $signData = implode(':', array_map($escapeFunc, array_merge(array_keys($params), array_values($params))));

    // base64-encode the binary result of the HMAC putation
    $merchantSig = base64_encode(hash_hmac('sha256', $signData, pack("H*", $hmacKey), true));

    return $merchantSig;
}
发布评论

评论列表(0)

  1. 暂无评论