Page 1 of 2

Hiding URL query parameters - encrpytion, session, etc ?

Posted: Wed Jul 12, 2006 1:00 pm
by tdnxxx444
I have various parts of my application in which GET is used and various values are passed via url query parameters. Some of these values are sensitive data, such as primary key ids, i.e. account id, etc. What would the best way / practice to hide this data so that they aren't exposed to end users? I have so far though of using url encryption or maybe even sessions -- does anyone have any other ideas?

Also, what is there any particular data that should or shouldn't be hidden?

Posted: Wed Jul 12, 2006 1:14 pm
by Luke
The only time I think it's a good idea to pass anything through the url is when you want that page (with the correct get variables) to be bookmarkable. Otherwise, use POST or SESSION.

For example, http://www.yourpage.com/page.php?page_n ... light=word

I would not do this:
http://www.yourpage.com/page.php?user_i ... hn%20Eaton

Posted: Wed Jul 12, 2006 5:37 pm
by tdnxxx444
What about cases in which I HAVE to use a query string, BUT there is a sensitive data in the query string. For example, I have a page with a listing of items sold by different users. I can click on an item, and it will take me to a page with all items sold by that particular user via query string. i.e. item_sold.php?user_id=5

Posted: Wed Jul 12, 2006 5:49 pm
by Weirdan
you must check on the item_sold.php page if current user has enough access permissions to view items sold by specified user.

Posted: Wed Jul 12, 2006 5:51 pm
by jamiel
In general, I only put ID's or actions in my GET, or something which a user or I may want to change quickly for convenience such as a search term.

Posted: Wed Jul 12, 2006 6:17 pm
by tdnxxx444
Weirdan - What if ANY user can view items shold by a specific user?

jamiel - Wouldn't id's be considered sensitive data though? Since the id's are usually primary keys to certain tables and when given a primary key, hackers are given a gateway to modify, access certain data?

Posted: Wed Jul 12, 2006 6:19 pm
by Benjamin
tdnxxx444 wrote:What about cases in which I HAVE to use a query string, BUT there is a sensitive data in the query string. For example, I have a page with a listing of items sold by different users. I can click on an item, and it will take me to a page with all items sold by that particular user via query string. i.e. item_sold.php?user_id=5
Sounds like poor design actually.

Posted: Wed Jul 12, 2006 6:19 pm
by RobertGonzalez
tdnxxx444 wrote:What about cases in which I HAVE to use a query string, BUT there is a sensitive data in the query string. For example, I have a page with a listing of items sold by different users. I can click on an item, and it will take me to a page with all items sold by that particular user via query string. i.e. item_sold.php?user_id=5
You don't have to use querystrings. I did away with querystring passing and went to forms, even for things like this. You can also use javascript form submits using links so that it simulates what you are used to. Passing any type of sensitive data, especially data that manipulates database information, by way of a querystring is dangerous. I'd stay away from it altogether.

Posted: Wed Jul 12, 2006 6:23 pm
by tdnxxx444
astions wrote: Sounds like poor design actually.
What would be good design then?

Posted: Wed Jul 12, 2006 6:24 pm
by tdnxxx444
Everah wrote: You don't have to use querystrings. I did away with querystring passing and went to forms, even for things like this. You can also use javascript form submits using links so that it simulates what you are used to. Passing any type of sensitive data, especially data that manipulates database information, by way of a querystring is dangerous. I'd stay away from it altogether.
I would like to stay away from javascript, as I want to support as many users as possible, and some still use some pretty primitive browsers.

Posted: Wed Jul 12, 2006 6:26 pm
by Weirdan
Weirdan - What if ANY user can view items shold by a specific user?
Do you mean they SHOULD be able to view those items?
hackers are given a gateway to modify, access certain data?
Unless you implement appropriate access checks, which you should implement.

Please read some of these papers. Security through obscurity alone can't be considered adequate security practice.

Posted: Wed Jul 12, 2006 11:09 pm
by RobertGonzalez
tdnxxx444 wrote:
Everah wrote: You don't have to use querystrings. I did away with querystring passing and went to forms, even for things like this. You can also use javascript form submits using links so that it simulates what you are used to. Passing any type of sensitive data, especially data that manipulates database information, by way of a querystring is dangerous. I'd stay away from it altogether.
I would like to stay away from javascript, as I want to support as many users as possible, and some still use some pretty primitive browsers.
Then don't use it. Use forms instead. Instead of lining out links, line out buttons that process a hidden field tha contains what you would have put into the query string.

Posted: Thu Jul 13, 2006 3:30 am
by Jenk
To the people recommending POST over GET: you do realise that POST is just as insecure as GET?

tdnxxx444: Using GET for scenarios such as item_sold.php?userid=5 is just fine, providing you have sufficient authentication on item_sold.php. 'userid=5' isn't what I would class as "sensitive" data.

Sensitive data, for example, would be the persons password, or the persons billing info etc.

If you could post an example of what is causing you concern, we may be able to assist further, but until then all we can do is speculate.

Posted: Thu Jul 13, 2006 6:49 am
by Roja
Jenk wrote:To the people recommending POST over GET: you do realise that POST is just as insecure as GET?
Its often overlooked, and I don't know that it matters (much) in this scenario, but that statement isn't totally accurate. There is one difference that makes GET more insecure for some things: Referrer tags.

If you are on my site, and you go to http://www.example.com?content=adult , and then load your company homepage, their apache logs will show thats where you came from.

So there is a slight difference, and it makes get slightly less secure, but it only applies in a very few situations. I doubt this is one of them, but I wanted to clarify that point.

Posted: Thu Jul 13, 2006 6:54 am
by Benjamin
Are you sure?