php-crypto-params Documentation



Similar documents
Online signature API. Terms used in this document. The API in brief. Version 0.20,

Performance Testing for Ajax Applications

Course Information Course Number: IWT 1229 Course Name: Web Development and Design Foundation

PHP Integration Kit. Version User Guide

Intrusion detection for web applications

A Tour of Silex and Symfony Components. Robert

Ciphermail Gateway PDF Encryption Setup Guide

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Security Assessment and Vulnerability Mitigation Tests

InternetVista Web scenario documentation

Webmail Using the Hush Encryption Engine

Web Application Security. Srikumar Venugopal S2, Week 8, 2013

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Implementation of Embedded Web server using TEA algorithm

Using the Tcl VFS for Encryption

Implementing Mobile Thin client Architecture For Enterprise Application

LICENSE4J LICENSE MANAGER USER GUIDE

Web development... the server side (of the force)

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Web Security Considerations

Programming Autodesk PLM 360 Using REST. Doug Redmond Software Engineer, Autodesk

TIBCO ActiveMatrix BPM - Integration with Content Management Systems

A REST API for Arduino & the CC3000 WiFi Chip

XML Processing and Web Services. Chapter 17

Check list for web developers

SSO Eurécia. and external Applications. Purpose

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

Hack Proof Your Webapps

Implementation of Web Application Firewall

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Oracle Managed File Getting Started - Transfer FTP Server to File Table of Contents

Lab 7. Answer. Figure 1

Remote Administration

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

DOCUMENTS ON WEB OBJECTIVE QUESTIONS

7 Why Use Perl for CGI?

SmartTV User Interface Development for SmartTV using Web technology and CEA2014. George Sarosi

OpenLogin: PTA, SAML, and OAuth/OpenID

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Java Web Application Security

Dashlane Security Whitepaper

Detailed Specifications

Magento Security and Vulnerabilities. Roman Stepanov

Open-Xchange Guard Major Release v Feature Overview V1.4

Advanced Web Development SCOPE OF WEB DEVELOPMENT INDUSTRY

Virtual Machine Encryption Basics

Intro to Web Programming. using PHP, HTTP, CSS, and Javascript Layton Smith CSE 4000

Cyber Security Workshop Encryption Reference Manual

Dashboard Skin Tutorial. For ETS2 HTML5 Mobile Dashboard v3.0.2

CRM Developer Form

TO HACK AN ASP.NET WEBSITE?

Product Internationalization of a Document Management System

Forensic Decryption of FAT BitLocker Volumes

Art of Code Front-end Web Development Training Program

GravityLab Multimedia Inc. Windows Media Authentication Administration Guide

SiteCelerate white paper

CSE 373: Data Structure & Algorithms Lecture 25: Programming Languages. Nicki Dell Spring 2014

Authentication and Single Sign On

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Working With Virtual Hosts on Pramati Server

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Application security testing: Protecting your application and data

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

AppDev OnDemand Microsoft Development Learning Library

Enterprise Application Security Workshop Series

HP Business Process Monitor

Instructions on TLS/SSL Certificates on Yealink Phones

Ajax Development with ASP.NET 2.0

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Development using PHP (WD_PHP) Duration 1.5 months

Mobility Information Series

The Top Web Application Attacks: Are you vulnerable?

TIBCO ActiveMatrix BPM Integration with Content Management Systems Software Release September 2013

vcloud Air Platform Programmer's Guide

Attacking MongoDB. Firstov Mihail

DIPLOMA IN WEBDEVELOPMENT

Junos Space. Junos Space Security Director Restful Web Services API Reference. Modified: Copyright 2016, Juniper Networks, Inc.

Qualtrics Single Sign-On Specification

Thick Client Application Security

Chapter 17. Transport-Level Security

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

The Migmap project: technical aspects

IBM Watson Ecosystem. Getting Started Guide

Performance Testing Web 2.0

TCP/IP Networking, Part 2: Web-Based Control

Advanced Encryption Standard (AES) User's Guide

Protection, Usability and Improvements in Reflected XSS Filters

IE Class Web Design Curriculum

AUDIT REPORT EXAMPLE

Web Security: Encryption & Authentication

OAuth2lib. implementation

Reading an sent with Voltage Secur . Using the Voltage Secur Zero Download Messenger (ZDM)

Cross Site Scripting in Joomla Acajoom Component

Configuring SSL Termination

socketio Documentation

Transcription:

php-crypto-params Documentation Release 1.0.0 Gian Luca Dalla Torre January 17, 2016

Contents 1 Purpose 3 2 How it works 5 2.1 Documentation.............................................. 5 i

ii

php-crypto-params Documentation, Release 1.0.0 Utility function to encrypt - decrypt string using AES symmetric algorithm that is compatible with crypto-js. Contents 1

php-crypto-params Documentation, Release 1.0.0 2 Contents

CHAPTER 1 Purpose Harvesting data on the web has become an easy task. Often, to obtain data stored into a database, a simple script loops on a numeric query parameter (called usually id) embedded into an URL and it donwloads a lot of useful data. Another weakness on sites are Javascript config files that holds JSON with valuable data. Last but not least, AJAX call contains a lot of information and, if unprotected, they can easily looped to obtain all their contents. How to prevent these flaws? Maybe if the query string or the data is encrypted a lot of those scripts will not work... 3

php-crypto-params Documentation, Release 1.0.0 4 Chapter 1. Purpose

CHAPTER 2 How it works The \CryptoParams\CryptoParams class provide methods to encrypt and decrypt strings using AES algorithm 1. This way query parameters (but also JSON responses) can be obfuscated and read only by the possessors of the encryption key. This particular implementation, inspired by marcoslin gist is compatible with crypto-js 2 ; this mean that a parameter encoded by a HTTP server could be read by Javascript. The only caveat is to share (or at least to obfuscate) the key (and the initialization vector) in a safely manner. If the parameter is only on query string, only the server can translate them (since the key is not exposed), avoiding obnoxious looping scripts that harvest the data. 2.1 Documentation 2.1.1 Installation This storage is hosted on Packagist. It can be easily installed configuring Composer: { } "require": { "torre76/php-crypto-params": "1.0.*" } 2.1.2 Usage To initialize the encryption - decryption system, the \\CryptoParams\\CryptoParams class is used: <?php require DIR. '/vendor/autoload.php'; $cp = new \CryptoParams\CryptoParams(); The initialization without parameters auto generate a 32 bytes key and a 32 bytes initialization vector (as per AES specification). The generated values are available through these properties: 1 AES is a symmetric encryption - decryption algorithm based on a 32 bytes shared key (and a shared Initialization Vector) that can obfuscate parameters and data. 2 Starting from this GIST, sooner I will implement the Javascript version of this algorithm to allow the reading of data sent from the server directly in HTML pages. 5

php-crypto-params Documentation, Release 1.0.0 key iv \\CryptoParams\\CryptoParams class accept custom key and initialization vector though the properties above and using the constructor: <?php require DIR. '/vendor/autoload.php'; $cp = new \CryptoParams\CryptoParams("d0540d01397444a5f368185bfcb5b66b", "a1e1eb2a20241234a1e1eb2a202 The requisites to use custom key and initialization vector are: key must be a 32 bytes string written in hexadecimal base (it is not meant to be human readable) initialization vector must be a 32 bytes string written in hexadecimal base (it is not meant to be human readable) If those requirements are not met a \\CryptoParams\\CryptoParamsException exception will be raised. Once the class has been initialized, a string could be encrypted using encrypt(value) method: <?php require DIR. '/vendor/autoload.php'; $cp = new \CryptoParams\CryptoParams("d0540d01397444a5f368185bfcb5b66b", "a1e1eb2a20241234a1e1eb2a202 $encrypted = $cp->encrypt("aieiebrazorf"); // $encrypted contains "iw8qzzewpwrn0npnoowu3a==" This function returns a Base64 encoded string ready to be used into query strings. To decrypt a Base64 encoded string with data the method used is decrypt(value): <?php require DIR. '/vendor/autoload.php'; $cp = new \CryptoParams\CryptoParams("d0540d01397444a5f368185bfcb5b66b", "a1e1eb2a20241234a1e1eb2a202 $decrypted = $cp->decrypt("iw8qzzewpwrn0npnoowu3a=="); // $decrypted contains "aieiebrazorf" It is possibile to encrypt and decrypt complex data transofming them into string such as JSON. Everything that can be serialized to a string can be encrypted and decrypted: <?php require DIR. '/vendor/autoload.php'; $cp = new \CryptoParams\CryptoParams("d0540d01397444a5f368185bfcb5b66b", "a1e1eb2a20241234a1e1eb2a202 $data = array(); $data["id"] = 1; $data["description"] = "Description"; $buffer = json_encode($data); $encrypted = $cp->encrypt($buffer); $buffer = $cp->decrypt($encrypted); $data = json_decode($buffer, FALSE); // $data->id contains 1 // $data->description contains "Description" 6 Chapter 2. How it works

php-crypto-params Documentation, Release 1.0.0 2.1.3 Source and License Source can be found on GitHub with its included license. 2.1. Documentation 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information