| How Does It Work
Manage URL | |
|---|
| 4.5.18 Manage URL | | This is a trade secret that will not be trademarked or patented as that would publish this intellectual property. The URL is the primary criminal attack vector and it must be protected in every possible way. | | Three kinds of URL are deployed:- | | 1. Public web pages have a traditional URL with 5 paramters. | | 2. Private web pages have an encrypted URL that is secret. | | 3. Private web pages in debug-mode have a traditional URL with 7 paramters. | | 4. Very Private web pages have an encrypted URL that is secret. |
| WPG table | | Data WPG is a list of authorized web pages - every web page must have a valid WPG entry. | | A web page is identified by:- | | 1. Page number as 4 or 6 digits. | | 2. Subject as up to 32 alpha characters with underscores. | | 3. Function name. | | 4. Token of 8 digits that identifies this web page. | | 5. Other data includes icon, usage and date last used. |
| Readability: | | The page number in the public and private URL can be read for reference only. If the readable page number is changed, other data will identify the change and show the home page. |
| Big Data: | | It must be assumed to certain agencies may be able to view HTTPS encrypted communications. The accumulation of URL data over a long period of time must NOT give such an agency a means to atack and access business data. URL design must be (1) unique each day and (2) unique for each authorized person so big data analysis does not show an attack vector. |
| Private URL: | | A private URL is a string of 64 or more digits. Imbedded in the 64 digits are:- (1) Web Page Number and matching (2) WPG key. Foreign (3) key and (4) link code that implies the foreign key number. (5) Action code and (6) time of day. Multiple interleaved (7+8) CRCs. By implication, the (9) date and (10) user key are built into the CRC mechanism. | | Various obfuscation methods are used to fragment and scramble the data. Eliza has a single function that knows how to encrypt and decrypt the private URL. Specific reports and services may append other data or may post hidden data. | | Factors: | | The URL for the same web page is unique each day. A URL has a maximum life of one hour before it will expire - encryption changes with time. The URL for a web page used at 10:00 will be very different to the URL for the same web page used at 11:00. The web page number is readable within the URL but if it is changed, the URL will be rejected. |
| Public Web Page URL: | | 1. While a public web page URL is quite readable, all four parameters must match a valid WPG web page entry. If any part of the URL is changed so the data does not match, the home page will be shown. | | 2. Public web pages (except sign-in) may be bookmarked or added to favourites. While the public URL includes the date, the date is only checked by the sign-in procedure. | | 3. This public web page URL is only suitable for private web sites that are not advertised to search engines. Public web pages take resourses to dynamically create the HTML as and when needed. |
| Permanent Web Page URL: | | 1. A special business requirement is to public information for 20, 50 or more years - a web page URL that can be reused by other parties for decades. The only solution is the "p=subject" method where one parameter specifies a readable subject name that has no reason to change for decades. | | 2. For example: "www.on-as.co.uk&p=eliza" can be published permanently with other web sites reusing the same link. People will try many subjects that they dream up, some guessing to reply with anything except an error message is proposed. This is a specialized area that needs care, diligence and continual monitoring to prevent attack - a dedicated web server may be justified by risk. | | 3. Processing time can be minimised by storing HTML web pages as files by subject name - no dynamic data is involved. HTML web pages may be generated from time to time from normal 4GL statements, but this is an off-line batch procedure. It is reasonable to deploy HTML in-line style clauses so external style and script files can be avoided. | | 4. The only attack vector is the URL and the web server system software - no database needs to be involved - no sessions. A simplistic web log may be written, but knowledge of guest access has little commercial benefit. |
| Private Web Page URL: | | The private URL is a string of digits that must not be changed in any way - every digit is checked. | | The encryption methods used include the date so a URL created one day will be invalid any other day. | | Encryption only exists to ensure that no part of the URL is changed in any way - if anyhing is changed only the home page is shown. |
| Debug Mode: | | A special debug-mode may be enabled to cause the private URL to switch to a pulic-like URL with 7 readable parameters. This mode is only available to ASP engineers with a one hour expiry time. |
| Encryption: | | Tripple interleaved Cyclic Redundancy Checks (CRC) are deployed to ensure that a URL is not changed. Parameters that need to be past in the URL are replicated in different ways and tokenized so they are represented as digits. If one of the replicated parameters is changed, it will be different to the other and the person is shown the home page and is blacklisted. Parameters are fragmented and scrambled to cause the URL to appear meaningless. Multiple weighted (polynomial) CRC parameters are included in the digital string. A URL used by one person is totally different to the URL for the same web page when used by a different person. | | The effect is that URL errors that are accidental or by-design are eliminated. The only error message is that the home page is shown. |
| Private List URL: | | The business requirement is to generate a private URL to link from a list to a form passing the key of the selected record. The solution is to generate a special kind of URL that is constant for all rows in the list and the primary key of the selected record is appended for each row. Rather than doing unique encryption for each row, a generic URL is created and modified to match the requirements fo each row. This is an AJAX call put the resulting form in a container - a basically secure design that is only able to be changed with the appended primary key. |
| URL Manager: | | Criminals know that security vulnerabilities can be found in how the URL is constructed and used so the Architect has directed that all URL creation must be undertaken by the URL Manager and no other way. The URL manager is a common function that is always available - it must be used to create any URL link. | | The URL manager supports the following options: | | (1) Type of URL. | | (2) Page number. | | (3) Linkage code. |
| Public URL: | | Public web pages do not need any special encryption so normal URL parameters are used. | | A typical public web page may use the following parameters: | | (1) c0 is URL type identifier. | | (2) c1 is page identifier. | | (3) c2 is subject name. | | (4) c3 is page number. | | (5) c4 is function name. | | (6) c5 is optional. | | Where any URL parameter is changed in any way, the home page is shown. | | The public URL is stable and may be bookmarked and saved as a favourite. The public URL may be saved as a desktop link and may be emailed to others as a reference link. |
| Security Rules: | | No application is permitted to create a URL - only the URL Manager is permitted to create a URL. | | The URL Manager encodes a suitable URL and marks it so it may be decoded when it arrives at the web server to be processed. | | The same URL manager both encodes and decodes the URL to ensure that no criminal tampering has taken place. |
| Private URL: | | Many kinds of encrypted URL strings are used to provide adequate levels of security at different parts of a private application. | | In general, a private URL is a long string of encrypted numbers and characters without parameters. | | A private URL is not stable, is ever changing and cannot be bookmarked or stored as a favourite. | | If the private URL is ciminally changed the user account is blacklisted and cannot sign-in again to try again. | | Private URL creation involves tripple interleaved encryption with several layers of Encrypted Hash Functions (EHF). | | Rather than only using one encryption method, several layers of different encryption methods are used so if any one encryption method is cracked, other methods continue to provide first class security. |
| Blacklist: | | To prevent criminals from trying many times to crack private URL encryption - one criminal change to the URL will cause the private sign-in profile to be blacklisted. | | A person is only blacklisted after they have signed-in and then criminally altered the encrypted URL. The blacklisted person is simply no longer able to sign-in - they are always shown the home page. This ensures that the person cannot try other criminal attacks - one try and they are blacklisted without any warning. |
| Select-List | | When a search character is entered, an AJAX function will show a matching list of records. Each record in the list has a URL that includes the record primary key. | | A problem was that the "Manage URL" function would select the page number for each row in the list when the page number is always the same. An upgrade has been designed to enable the primary key of each list record to be different while the page number is the same. |
| WPG table | | wpg1 has a primary key on field c01 for update purposes. | | SELECT $fields FROM wpg1 WHERE c27=$page AND c02=ACT AND c26=$app LIMIT 1 | | Where the order of these conditions may be relevant | | wpg1 has an index key as "c27key" on field c27 as the 4 digit page number - this is an 11% overhead in space. | | An index on field c26 size 8 with only 4 possible application code values serves very little purpose because c27 is generally unique. | | An index on field c02 size 8 with only 3 possible active/inactive values serves very little purpose because c27 is generally unique. | | No other type of record is stored in the WPG table so selection using c14, c15 or c16 serves no purpose. |
| Select WPG: | | Within the "pdos 1001 Manage URL" function (in 1001 "index") is a call to "pdos 5000 db get webpage" using a $link page number. | | This function returns $c2_webpage_array as a global with all the important WPG fields. | | 1. As an improvement, $c2_webpage_array with a zero key has been added to hold the $link key page number. | | 2. As an improvement, if the $link key is equal to the array key zero, then the array already holds all the data needed adn the function can return without making an extra select on WPG. |
| db get webpage | | This function is in "pdos 0200 db function.c2" that is included by application top for all transactions. | | A change from function number 5000 to 0200 is in progress. |
| WPG Extra | | The WPG table is unique in that c40 is an INT(4) field definiton that enables an UPDATE request to increment page usage without the need to select the value first. | | c27 is the page number - this is (can be) int(4) field so its index can be optimized in size. |
| Benefit: | | Each search list would make at least 12 selected on the WPG table to make the URL for each row. | | Now the get webpage function can identify when the page number is the same and avoid making a select on WPG. | | The trivial cost is that the $link string of up to 12 characters is stored in the webpage array. The cost is two lines of code in "pdos 5000 db get webpage" function without any structural change. |
| Function Prefix Policy | | Infrastructure (c2) functions have a name prefix as "pdos" as a consistent identification method. | | All infrastructure function names are lower case with underscores between words - plural words are avoided. |
| Function Number Policy | | Infrastructure (c2) functions are to be numbered from 0001 to 0999. | | 4GL application (ll) functions are to be numbered from 1001 to 9999. |
| Sanitation Function: | | Criminals know that security vulnerabilities can be found whereever data is entered and so the application architect has directed that all data entry without exception must only be permitted into the application via the sanitation function. The sanitation function is a common function that is always available - it must be used to process any GET or POST input data. | | The sanitation function supports the following options: | | (1) Minimum length of input value as an integer value from 0 to 999. | | (2) Maximum length of input value as an integer value from 0 to 999. | | (3) Edit code as up to 8 characters - see implemented rules. | | (4) Input mode as post or get - GET is not permitted within a private secure application. | | (5) Name of input field - placeholder is typically 5 or 8 charaters. | | (6) Label of input field - descriptive field usage. |
| Security Rules: | | No application is permitted to process input data except when it has been processed and cleaned by the sanitation function. | | Applications are easly scanned to detect and replace any GET or POST used in error or for testing purposes - no exceptions are permitted for any reason. | | GET may be used for public web pages but must not be used for any private application - too easy to fake. |
| Edit Rules: | | 1. TEXT edit code is an exception with potential low data quality. | | 2. TEXT-COD is a 3 character upper case code that may be supported as a reference option. | | 3. TEXT-PHO is a phone number or value that may have a leading zero. | | 4. TEXT-EMA is an email address with a special format the does not have spaces. | | 5. TEXT-PGM is a subject name with lower case alpha and underscores, but no other symbols or numbers. | | 6. TEXT-NAM is a persons name with alpha, hyphen, apostrophe and spaces, but not numbers or other symbols. | | 7. TEXT-IDS is a product code as upper case alpha or numeric, but no spaces or other symbols. | | 8. TEXTHTML is basic HTML edited text supporting break, list and bold. | | 9. INT is an integer number and all other characters and symbols are removed. | | 10. DEC is an decimal number with decimal point - all other characters and symbols are removed. |
|
|