Highlighted

Tempered encryption causing Decrypt to crash

New Here ,
Oct 24, 2014

Copy link to clipboard

Copied

I have made an encryption of "auth" using AES as follows:

<cfset skey = generateSecretKey("AES")>
<cfset regkey = encrypt("auth", skey, "AES", "hex")>

I attached the result for example to an URL

http://www.mydomain.com/authorization.htm?auth=34D3795AA3696B7F81AEFE414DCA7392FDCC50AFE9D0312B2B253...

(auth is assign regkey   i.e. ,,,,,,htm?auth=#regkey#)

This works perfectly under perfect condition.  However, if I go ahead and try to "hack" the code and make it shorter and change some characters like this:

http://www.mydomain.com/authorization.htm?auth=453424AEFE414DCA7392FDCC50AFE9D0312B2B2530A985386B83

The Decrypt function:

<cfset theword=decrypt(url.auth, skey, "AES", "hex")>

just crash! It throws an exception. Isn't it supposed to just return bad string rather than crashing?  This is pretty bad.

Is there way to check for the URL.auth before passing to Decrypt?  Thanks in advance.

Views

270

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Tempered encryption causing Decrypt to crash

New Here ,
Oct 24, 2014

Copy link to clipboard

Copied

I have made an encryption of "auth" using AES as follows:

<cfset skey = generateSecretKey("AES")>
<cfset regkey = encrypt("auth", skey, "AES", "hex")>

I attached the result for example to an URL

http://www.mydomain.com/authorization.htm?auth=34D3795AA3696B7F81AEFE414DCA7392FDCC50AFE9D0312B2B253...

(auth is assign regkey   i.e. ,,,,,,htm?auth=#regkey#)

This works perfectly under perfect condition.  However, if I go ahead and try to "hack" the code and make it shorter and change some characters like this:

http://www.mydomain.com/authorization.htm?auth=453424AEFE414DCA7392FDCC50AFE9D0312B2B2530A985386B83

The Decrypt function:

<cfset theword=decrypt(url.auth, skey, "AES", "hex")>

just crash! It throws an exception. Isn't it supposed to just return bad string rather than crashing?  This is pretty bad.

Is there way to check for the URL.auth before passing to Decrypt?  Thanks in advance.

Views

271

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Oct 24, 2014 0
LEGEND ,
Oct 27, 2014

Copy link to clipboard

Copied

If I may be so bold to ask.. Why are you passing the encryption key in a URL string???  Is this strictly for learning/practicing?  You're not planning on doing that in a production environment, are you?

The CF9 docs don't say what is supposed to happen if the encrypted value is changed.  Place that inside a try/catch and have the issue details emailed to you.

HTH,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 27, 2014 0
New Here ,
Oct 27, 2014

Copy link to clipboard

Copied

I am going to use it for at least couple things:

1. membership activation

2. email notifications i.e. when member received an email they will be notified and if they are signed in already, it will bring them to the message directly to reply

I tried try/catch but the exception is being intercepted by cferror

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 27, 2014 0
LEGEND ,
Oct 28, 2014

Copy link to clipboard

Copied

I think I misunderstood your original question.  I was tired when I looked at your code samples.

If someone tries to change the encrypted URL parameters and error.cfm is NOT displaying anything other than a generic "something broke" message, but is emailing the details to the admin or developer, then there's really nothing to worry about.

As far as WHY that's happening, I don't know.  The Adobe docs for it don't indicate what is supposed to happen if the encrypted value is altered.

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 28, 2014 0
New Here ,
Oct 28, 2014

Copy link to clipboard

Copied

I can't believe no one thought of this all these time and Adobe not knowing this.  The Decrypt function should either return a decrypt string or return false if it can't do its job and not just throw an exception.  There can be other messages associated with the function to explain what the exception is.  This is very bad user experience.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 28, 2014 0