12 Replies Latest reply on Oct 13, 2009 4:11 PM by jeanluc

Hide or encrypt url params

mhdez Mar 23, 2009 7:32 PM

Hi folks, I have tested my seam app with a security system and is warning me about a url parameters id session security problem. So, I need to hide the url params or encrypt them, please any suggestion will be accepted gratefully.

Greetings

1. Re: Hide or encrypt url params

emiakoup Mar 23, 2009 8:08 PM (in response to mhdez)

Hello,
perhaps this can help:
http://seamframework.org/Documentation/WebVulnerabilitiesAndCountermeasures
Actions
2. Re: Hide or encrypt url params

norman Mar 24, 2009 3:53 AM (in response to mhdez)

Are you talking about the conversation id?
Actions
3. Re: Hide or encrypt url params

mhdez Mar 25, 2009 4:00 PM (in response to mhdez)

Yes, I'm...please help me if you can.

Greetings.
Actions
4. Re: Hide or encrypt url params

norman Mar 25, 2009 7:32 PM (in response to mhdez)

You can create a custom conversation id generator for any conversation id strategy you like.
Actions
5. Re: Hide or encrypt url params

mhdez Mar 25, 2009 9:17 PM (in response to mhdez)

Yes, but I need exactly change this:
http://localhost:8080/clients/admin.seam?cid=7
by:
http://localhost:8080/clients/admin.seam
It means to delete ?cid=7

I'm trying with URLRewriter 2.6 because I'm using Seam 2.0.0.GA I can not use <rewrite pattern...> in pages.xml and this comes with the 2.1.
Do you know how make it with <outbound-rule> tag ?
Actions
6. Re: Hide or encrypt url params

swd847 Mar 25, 2009 10:07 PM (in response to mhdez)

If you delete the cid your conversations will not work correctly. Why does it need to be hidden? It is not possible for a user to change the cid and end up in another users conversation, as they are session scoped. If you are not worried about this then what is the issue?
Actions
7. Re: Hide or encrypt url params

gardellajuan Mar 26, 2009 1:24 PM (in response to mhdez)

Hi,

Here you can see some reasons why cid need to be hidden and show some solutions.

http://chiralsoftware.com/launching-a-jboss-seam-site/jboss-seam-problems.seam
Actions
8. Re: Hide or encrypt url params

kukeltje.ronald.jbpm.org Mar 26, 2009 4:57 PM (in response to mhdez)

But that is a completely different reason... not security related (ok... could lead to a DOS, but that is a different thing)
Actions
9. Re: Hide or encrypt url params

norman Mar 26, 2009 8:09 PM (in response to mhdez)

I think you need to figure out what exactly you are trying to accomplish and then re-ask the question.
Actions
10. Re: Hide or encrypt url params

vladknez Apr 27, 2009 9:53 PM (in response to mhdez)

Hi!

Pretty similar problem, though, not with cid. It's with any param? Example: when I log to my seam app I get to the page for Distributor ... and URL is:

.../Distributor.seam?distributorId=3&cid=19308

if I just change that 3, into 2 (distributorId) ... i am watching at at data of the distributor with id 2. A major no-no!

I am new to all this, new at forum, lost 2 days on this what I think is rather trivial situation, played my self (don't laugh) with url rewrite all day long ... fuming frustrated... just can't solve this. :(

How do I hide those param values? How to hide that distributorId?

Thank you in advance. Best regards,
vlad
Actions
11. Re: Hide or encrypt url params

domagals.jame Oct 13, 2009 1:57 AM (in response to mhdez)

Hey, Have you found out a solution to this yet? I have the same issue.

Thanks
Actions
12. Re: Hide or encrypt url params

jeanluc Oct 13, 2009 4:11 PM (in response to mhdez)
From whom do you want to hide the parameters from?

if from anyone snooping the traffic, then use SSL

if from the user (i.e. you don't want it to be part of the URL but sent via a HTTP POST), it has zero security value.

If you want to prevent the user of accessing other data (i.e. you want to have instance-level authorization), you need to design your back-end to enforce that and not rely on hiding the parameter. Even if you encrypt it, this is still vulnerable to capture-and-replay attacks. It sounds like you need to read more on application security, start with OWASP.
Actions

Go to original post