If you want to include a directory in the url, write an
isapi filter to look at the path which you will then
translate to another url.
see
http://www.codeproject.com/isapi/isapiredirector.asp?target=isapi
for url encryption, thats pretty easy. Simply form your
url, encrypt it, URL encode it, and use it. Lots of times
links are formed with this information so your page can
track without sessions user information, but in a secure
way. It can definitely help protect against attacks via the
querystring, but assuming its a complex scheme.
Adam
On 30 Jan 2004 10:28:44 -0000
lupin <lupin9809_at_hotmail.com> wrote:
>
>
> I've seen a couple highly secure Web Application that use
> encrypted url.
>
> Actually they encrypt the parameter query string.
>
> Example URL:
>
>
http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c
>
> I think this is a great way to protect against parameter
> tampering attacks.
>
> Does anybody know more about this technique? Papers
> etc..? How to implement it? Google didn't help me a lot?
>
> What is you point of view? Do you think it will help to
> prevent all the parameter attack (XSS, SQL inj. etc...)?
>
> Thanks a lot for your response in advance.
>
---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/
Received on Jan 30 2004
Intro
