Forum Discussion

refra_151287's avatar
Nov 11, 2015

URL Hashing OR URL decoding

I've an issue, and we want to hash the URI (or encoding) in other words I don't want the user to see the original URL that the server sent, we want the user to see just decoded value, is there any way to accomplish it, without distorting the page ?!

 

8 Replies

  • You understand that this will require you to rewrite every resource on the site that the server sends in its responses. This will not be an easy task. Any particular reason you want to do this? Would it be easier to sanitize specific data?

     

    • refra_151287's avatar
      refra_151287
      Icon for Cirrus rankCirrus
      it's a customer request, I offered all changes he can use to protect the parameter, or the url such as dynamic parameter tampering, url flow, login enforcement, but he want to encode the url, till now i don't know the reason for security reasons at the info sec team, and it's a financial firm . so i'm trying to encode the uri in the response and decode the request form the client, but i'm still in the beginning, so i'm asking if there's any irule to accelerate the progress, even if it did an issues, just to convince them :)
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Security through obscurity is not security, it is just obscurity. With that said, I guess the customer is always right even when they aren't. Hashing the URL in and of itself provides no security as you can still replay the hashed url. One thing you could do that will provide security and hash the url would be to use APM portal access. The will enforce logon and mask the "real" URL. Granted, it will still only be a base64 encoded url, Maybe this will satisfy your customer's requirements.
    • refra_151287's avatar
      refra_151287
      Icon for Cirrus rankCirrus
      Thanks Brad you're totally right, I shouldn't go in the wrong way :)
  • You understand that this will require you to rewrite every resource on the site that the server sends in its responses. This will not be an easy task. Any particular reason you want to do this? Would it be easier to sanitize specific data?

     

    • refra_151287's avatar
      refra_151287
      Icon for Cirrus rankCirrus
      it's a customer request, I offered all changes he can use to protect the parameter, or the url such as dynamic parameter tampering, url flow, login enforcement, but he want to encode the url, till now i don't know the reason for security reasons at the info sec team, and it's a financial firm . so i'm trying to encode the uri in the response and decode the request form the client, but i'm still in the beginning, so i'm asking if there's any irule to accelerate the progress, even if it did an issues, just to convince them :)
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Security through obscurity is not security, it is just obscurity. With that said, I guess the customer is always right even when they aren't. Hashing the URL in and of itself provides no security as you can still replay the hashed url. One thing you could do that will provide security and hash the url would be to use APM portal access. The will enforce logon and mask the "real" URL. Granted, it will still only be a base64 encoded url, Maybe this will satisfy your customer's requirements.
    • refra_151287's avatar
      refra_151287
      Icon for Cirrus rankCirrus
      Thanks Brad you're totally right, I shouldn't go in the wrong way :)