what kind of protection? A JWT could work there, it uses only ... • Aaron Parecki

Jim Manico @ Kauai https://twitter.com/manicode • Mar 31
How do you safely do this?

HTTPS://site.com/data/ + protect(untrusted);

URL encoding is not the answer, it still allows path traversal. Base64 encoding is not the answer, the + and / characters, legal in base64, can skew a URL.

what kind of protection? A JWT could work there, it uses only URL safe characters, and is integrity protected. If you don't need integrity protection then just URL safe Base64 I guess

American Airlines Flight 1986 DFW to PDX in Dallas, Texas • 82°F

Fri, Mar 31, 2023 5:48pm -05:00

1 like 4 replies
- Jim Manico @ Kauai
Have you written a response to this? Let me know the URL:
- Jim Manico @ Kauai twitter.com/manicode
  
  Just looking for safely at time of url construction. Extraction, decoding and reuse in another url will require additional encoding.
  
  Fri, Mar 31, 2023 11:16pm +00:00 (via brid.gy)
- Jim Manico @ Kauai twitter.com/manicode
  
  Most important use cases are sending data to a server that is added to a path for a REST request, SSRF weakness. Also, building dynamic URL’s in templates and web Ui’s.
  
  Fri, Mar 31, 2023 11:01pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Ultimately the question is where does the untrusted data come from and how is it used, because URL-safe-base64-encoding a "../" will just decode to "../" on the other side.
  
  Fri, Mar 31, 2023 11:00pm +00:00 (via brid.gy)
- Jim Manico @ Kauai twitter.com/manicode
  
  SafeBase64 protects against path traversal or path manipulation where urlencoding and normal Base64 do not!
  
  Fri, Mar 31, 2023 10:50pm +00:00 (via brid.gy)

Posted in /replies using indigenous.abode.pub/ios