Hash URLSearchParams to prevent manipulation

Question

Curious to know to protect my link's get parameters in an email from manipulation. This code will be running server side to generate a URL for an email:

    const url = new URL('https://e.dev.example.com')
    
    url.search = new URLSearchParams({
      url: 'https://dev.case.example.com/case/61914',
      user: 21,
      medium: 'email',
      id: 'foobar-123'
    })
    
    console.log(url.toString())

Are there any good existing solution to sort the parameters (i.e. make them canonical) or encapsulate them somehow, hash the contents and then add that (short) hash to verify the payload later?

score 0 · Answer 1 · answered Jun 26 '18 at 06:51

I do not think there is any standardized solution for the same. It guess it all comes down to the security(preventing manipulation) and workload(processing speed complexity) for hashing. Both are generally a trade off and you would like to make a decision, which to compromise with.

As for a generalized way of sending params, I guess JSON is the most widely accepted and easy to manipulate format now a days. Serializing a JSON object, followed by hashing would be a good way to send day via URL.

Kindly refer this link to know more about the same.

Gabor Lengyel · Answer 2 · 2018-06-26T11:50:49.300

If you create the link in Javascript as above, you can't prevent manipulation, because anything needed to create the link is available for Javascript, ie. the user. In that case, your user can create a link with arbitrary parameters, and just create the hash for it the same as your Javascript would.

If you create the link server-side, that's a different story. You can then canonicalize parameter representation (eg. put them in alphabetical order, which would probably be the easiest), and add a MAC (message authentication code) based on a server-side secret to ensure authenticity. One good algorithm for such purpose would be HMAC. This way, when parameters are again sent to the server, you can check (based on the secret again) that there was no tampering.

If you also want to hide parameters, you can use an authenticated encryption.

Also be aware that doing this will be open to replay attacks, ie. somebody having a link at one time can use it anytime later, unless some protection (a nonce, or a timestamp) is in place.

And again, you cannot do this on the client-side only, links need to be generated on the server, based on some kind of message authentication mechanism and a server-side secret.

Sorry, you can assume the link is generated server side. – hendry Jun 27 '18 at 01:30 — hendry, Jun 27 '18 at 01:30
@hendry hmac() is the way then. – Gabor Lengyel Jun 27 '18 at 10:19 — Gabor Lengyel, Jun 27 '18 at 10:19

Hash URLSearchParams to prevent manipulation

2 Answers2