RE: Security

new topic     » goto parent     » topic index » view thread      » older message » newer message 

On 30 Nov 2002, at 23:15, C. K. Lester wrote:

> 
> > Yes, use a large enough number base, and a large enough number in that
> > base. For instance, if i attach the hidden POST form url with
> > this numeral:
> > "er6yb2RTGWBD6trerBFSf6t78ERThgneRhnwwww456GWTq456BEFGqw4Y
> > B9nwrfgbwr673n5yUHb35r56b7tynjtr4678EGF67678mnyuy5678" (base58)
> > ,and i link it in my cgi to the ip block the customer came from,
> > and other info
> > their browser supplied, how many crackers will be able to guess the next
> > client's numeral?
> 
> Can you make any link on the page send the query info (in this case, the
> really long ID)? You mention POST and I'm guessing that means you have to
> have a form...

Without POST, it's like

<a 
href="/nextpage.html?tag="er6yb2RTGWBD6trerBFSf6t78ERThgneRhnwwww
456GWTq456BEFGqw4YB9nwrfgbwr673n5yUHb35r56b7tynjtr4678EGF67678
mnyuy5678">Next Page</a>

I haven't tried this,, i'm not terribly serious about it yet. Using POST would 
keep it out of the url windows, but i haven't attempted anything yet that 
worked. I suspect it's something in  *nix or Apache, because i can't get the 
POST vars with the cgi program on the server. Orkim's emails are bouncing.

You might try a form, with everything hidden but the button itself.

Kat

new topic     » goto parent     » topic index » view thread      » older message » newer message

Search



Quick Links

User menu

Not signed in.

Misc Menu