Browse Prior Art Database

Encoding for security

IP.com Disclosure Number: IPCOM000033916D
Original Publication Date: 2005-Jan-04
Included in the Prior Art Database: 2005-Jan-04
Document File: 1 page(s) / 38K

Publishing Venue

IBM

Abstract

This encoding for security helps in solving a security problem when computing a HTML page on an application server.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 58% of the total text.

Page 1 of 1

Encoding for security

Numerous security problems on Internet sites come from variables included in Web pages. The computed Web pages add data such as the user name his accounting information. The developers are generally confident and include the user name as is in the Web page for instance in the following way:

Bonjour <jsp:getProperty name="nom"/>!

     In fact a hacker can manage adding some specific characters in the user name to get confidential data.

     The Web pages displayed by the browsers use the HTML format to describe the different presentation styles , the execution scripts or links towards other pages. According to the place the variables of the application are included one has to apply a specific encoding adapted to the context. This encoding allows filtering characters which can be differently interpreted in the the HTML page. The variables are included in the pages with HTML tags new for this format. These tags are converted in the application server before the page is returned to the browser.

     Different techniques exist today but they do not propose the inclusion context. With these existing techniques, the variables are included without any treatment. This make the hackers able to generate Web pages including particular information allowing, for instance to steal the Internet user connection. For instance if a hacker gives a variable of the application the value:

              <script>alert(document.cookie)</script> he can access the session ticket of the user to tak...