20

Before anyone jumps in and says, "Oh!! that's a bad idea", I know it is.

I want to keep both the key and value in the query string to be not easily visible to the end user. I have something like this google.com/?category=textile&user=user1 I need to make it unintelligible like this: google.com/?kasjdhfkashasdfsf32423

Is there any way to achieve this in javascript. I have already seen this

I have already seen this and this.

but I don't think encoding will solve the problem. Also, this code is entirely in client side. I know that it is not secure but I just need this is a naive, weak defense. Please help.

Edit

I apologize if my question was not clear earlier.

The URL google.com/?category=textile&user=user1 is being passed on from a different application.

The values passed in the query string directly controls what is being displayed to the user. As is, anyone with no technical knowledge can easily change the value and view the data corresponding to a different category or user. I need to make this unintelligible so that it is not obvious. If a user is a techie and figures out the encryption used, then it is fine. I need a stop-gap solution till we have a better architecture in place

Brad
  • 15,186
  • 11
  • 60
  • 74
Raghav
  • 1,014
  • 2
  • 16
  • 34
  • 1
    What is the data you're trying to protect? Can you just submit a form so that values are only passed in the HTTP body. And yes, it is a bad idea, your URLs won't be friendly – Ruan Mendes Nov 06 '13 at 18:07
  • 2
    Why are you thinking of javascript for this? It's really a matter of generating the scrambled urls and then responding to them on the server side. What is your backend technology? – Renato Zannon Nov 06 '13 at 18:07
  • 4
    Oh!! that's a bad idea ;-) – Artur Nov 06 '13 at 18:10
  • 1
    You could use base64. – Lorenz Meyer Nov 06 '13 at 18:10
  • 1
    _"I just need this is a naive,weak defense"_ Then how about `google.com/?pay_no_attention_to_this_stuff_to_the_right&category=textile&user=user1` – j08691 Nov 06 '13 at 18:11
  • url rewriting or just put a =1 to the end and look at the qs keys in the response. Sad thing is anyone can figure out what is happening if they know how to read the code that generates it. – epascarello Nov 06 '13 at 18:11
  • 2
    Defense against what? What kind of data you are trying to secure. Why not simply using a POST so that values aren't part of the URL at all? Do not forget that knowing a resource's URL doesn't matter as long as accessing the resource itself it secured. – plalx Nov 06 '13 at 18:13
  • Its very bad for SEO, I am desperate to know in which circumstances any one choose this methodology – Voonic Nov 06 '13 at 18:15
  • Better say what you are trying to accomplish and people here will give you better solution – Artur Nov 06 '13 at 18:15
  • @Artur The solution will be TLS, JavaScript in the browser cannot be made secure without it (unless the certificate store or other trust store is made available). – Maarten Bodewes Nov 06 '13 at 18:28
  • @Artur +1 for the comment Oh!! that's a bad idea ;-) – Raghav Nov 06 '13 at 19:34
  • One of the benefits of friendly URLs is that you can edit them by hand and access a different resource. Please don't break that by adding fake security. If the user does type something they shouldn't see, they should get a security error, otherwise, let them see what they want. Fix the problem now, don't create a stopgap solution – Ruan Mendes Nov 07 '13 at 19:16
  • For people who can't fathom a purpose for this, I am using it for a simple procedural puzzle game. It's a side project/proof of concept, so I don't need real security yet, but I need people to be able to share links without the links giving away the answers. As long as obfuscation is the actual goal, and not security (and you know the difference), there are plenty of use-cases for this question. – theaceofthespade Apr 21 '20 at 02:04
  • I have replaced "encrypt/decrypt" in the title to "encode/decode" as this post may potentially mislead people into believing that the accepted answer using ROT47 is encryption (it isn't) – Brad Oct 04 '22 at 20:14

2 Answers2

36

You can use base64. Javascript has native functions to do that :

alert(btoa("category=textile&user=user1")); // ==> Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx

and to reverse it : 

alert(atob("Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx")); // ==> category=textile&user=user1

Be careful to read the doc if you have unicode strings, it's a little different : https://developer.mozilla.org/en-US/docs/Web/API/Window.btoa

Sebastien C.
  • 4,649
  • 1
  • 21
  • 32
  • 1
    atob and btoa functions are not supported in IE8 and IE9 – Raghav Nov 08 '13 at 20:21
  • You can easily find a polyfill for IE. – Sebastien C. Nov 08 '13 at 21:06
  • 1
    @sebcap26., You are awesome man!! Thanks a ton.. I was struggling to resolve an issue in my webpage. Now its working great. But, the issue is sending a string(which has lots of single and double quotes) as a paramater to the function. I was trying to escape those quotes but, couldnt acheive. Finally encrypted and decrypted the string. LOL ... thanks once again.. – Breen ho Feb 05 '14 at 13:07
  • 26
    base64 is not encryption, It's encoding :/ – Husam Jun 26 '16 at 02:19
  • 3
    there are so many online tools can decode base64, so data is not secure at all. don't recommend base64 – billcyz Sep 29 '17 at 08:08
10

If you don't looking for serious strong crypto, you can use ROT13:

http://en.wikipedia.org/wiki/ROT13

This is enough for slightly obfuscate keys/values in the your URLs.

olegarch
  • 3,670
  • 1
  • 20
  • 19
  • 1
    Thanks.This seems fine for my purpose except that it displays numbers as-is. – Raghav Nov 06 '13 at 22:14
  • 3
    If you need little stronger, and "encrypt" numbers, too -- I suggest to use Rot47: http://rot47.net/ – olegarch Nov 07 '13 at 00:12
  • This served the purpose and I was able to encrypt numbers also. Thanks for the solution. I would have gone with base64 encoding if it was natively supported – Raghav Nov 08 '13 at 20:23
  • 1
    Rot47 vs base64 has 3 advantages: 1. Not well-known, so little difficult to decrypt by standard tools and ideas. 2. Does not increase string length. 3. Procedures encode and decode are same; so enc = rot47(msg); dec = rot47(enc); dec == msg; – olegarch Nov 08 '13 at 21:45
  • 3
    Doesn't rot47 generate characters that are not allowed in URLs? – Piotr Perak Oct 08 '14 at 08:01