Passing values to URL, security measures

Question

I'm using JavaScript to pass a value into a URL for another page. What security measures should I take/use so that this can't be manipulated in a bad way?

Here's what I'm doing:

window.location = "post.php?value=" + $("input").val();

Thanks!

Answer 1

The only thing you could do is to implement a proper & complete server side validation to root out invalid values.

Never trust anything from the client always do server side validation

Answer 2

It is hard to say exactly what you are trying to secure against but I would suggest the following if possible.

Any time you have a value that could be manipulated by the user, do server side checking on that value. This is not limited to only values input by the user, but any a clever person could change in the code or by other means. The best type of check is to limit it to an exact known value. If it doesn't match exactly, don't use it.

Depending on what data you are dealing with, looser server side filters for problematic characters may be acceptable rather than limiting to strict exact values.

Answer 3

From the sending end, make sure the value is encoded. URL encode AND escape characters like "&", "+", "/", etc. This is more for correctness than security.

Then on the receiving end, make sure the value that's sent is not tempered with. You should "clean" the input so that it's rid of injection risks. In addition, you can authenticate the value by using a salted hash, or a "private key". Let's pick the key "abc".

The sender is sending the value 123, but it'll also send an authentication token:

?value=abc&auth=XXXX

where XXXX is calculated as md5('abc123');

The receiving end also knows this shared secret 'abc', so it compares its own hash calculation against the claimed $auth value.

If the value is tempered with, the hash will be calculated differently, and the receiver can reject such request. This technique is common in cross-server/RPC services.

Hope this helps.