Skip to main content
J
jackhuang
Known Participant
October 24, 2014
Question

Tempered encryption causing Decrypt to crash

  • October 24, 2014
  • 1 reply
  • 613 views

I have made an encryption of "auth" using AES as follows:

<cfset skey = generateSecretKey("AES")>
<cfset regkey = encrypt("auth", skey, "AES", "hex")>

I attached the result for example to an URL

http://www.mydomain.com/authorization.htm?auth=34D3795AA3696B7F81AEFE414DCA7392FDCC50AFE9D0312B2B2530A985386B83

(auth is assign regkey   i.e. ,,,,,,htm?auth=#regkey#)

This works perfectly under perfect condition.  However, if I go ahead and try to "hack" the code and make it shorter and change some characters like this:

http://www.mydomain.com/authorization.htm?auth=453424AEFE414DCA7392FDCC50AFE9D0312B2B2530A985386B83

The Decrypt function:

<cfset theword=decrypt(url.auth, skey, "AES", "hex")>

just crash! It throws an exception. Isn't it supposed to just return bad string rather than crashing?  This is pretty bad.

Is there way to check for the URL.auth before passing to Decrypt?  Thanks in advance.

This topic has been closed for replies.

1 reply

WolfShade
WolfShade
Legend
October 27, 2014

If I may be so bold to ask.. Why are you passing the encryption key in a URL string???  Is this strictly for learning/practicing?  You're not planning on doing that in a production environment, are you?

The CF9 docs don't say what is supposed to happen if the encrypted value is changed.  Place that inside a try/catch and have the issue details emailed to you.

HTH,

^_^

J
jackhuangAuthor
Known Participant
October 27, 2014

I am going to use it for at least couple things:

1. membership activation

2. email notifications i.e. when member received an email they will be notified and if they are signed in already, it will bring them to the message directly to reply

I tried try/catch but the exception is being intercepted by cferror

WolfShade
WolfShade
Legend
October 28, 2014

I think I misunderstood your original question.  I was tired when I looked at your code samples.

If someone tries to change the encrypted URL parameters and error.cfm is NOT displaying anything other than a generic "something broke" message, but is emailing the details to the admin or developer, then there's really nothing to worry about.

As far as WHY that's happening, I don't know.  The Adobe docs for it don't indicate what is supposed to happen if the encrypted value is altered.

^_^

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices