HttpModule for query string encryption - Form Action problem

[rfazendeiro]

Hello!

I wrote a HttpModule for query string encryption so i could just encrypt automaticly the querystring when submiting pages and decrypt it back (automaticly too).

I have this up and running and works perfectly for the querystring but I came into a problem. With a simple application like Fiddler i could see the request made by the website and i had a little suprise. The Form Action property was plain text so with very little work anyone could just see the actual query string decrypted.

I've been looking around but still havent found a solution. How can i encript the Form Action too?

thank you all

 

[Nate Bross]

I'm not sure if there is anything you can do without going to HTTPS/SSL and buying a certificate from a CA such as Thawt, or Entrust, or one of those.

 

[rfazendeiro]

thank you for the response.

Then why the hell encrypt a querystring?? just to keep the normal users from messing with the url? those users are not the problem and a more curious user easly analises the requests.

there's got to be a way to enconde the action form

 

[JohnsHandle]

If you need to protected the data the user enters than I think Nate Bross is right. HTTPS is your best bet. Any sort of client side code to encrypt it before posting the form is going to be easy to reverse engineer.

Could you explain more about what you are trying to encrypt as I don’t understand how you can be using a HttpModule to encrypt the query string before submitting the form.

 

[rfazendeiro]

well HTTPS i think is a little too much for what i need.

I'm just trying to implement an extra security so that users cant change the url so easy.

imagine this url:

http://someurl.com/product.aspx?productid=4&categoryid=3

So i wanna encrypt this querystring so the user cant play around with the ID's from products and category.

so what i did was implement a HttpModule

    public class QueryStringModule : IHttpModule
    {
        public void Dispose()
        {
            // Nothing to dispose
        }

        public void Init(HttpApplication context)
        {
            context.BeginRequest += context_BeginRequest;
        }

        //The keys will not be here. Just to illustrate my point
        private const string PARAMETER_NAME = "enc=";
        private const string ENCRYPTION_KEY = "key";

        void context_BeginRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
            if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
            {
                string query = ExtractQuery(context.Request.RawUrl);
                string path = GetVirtualPath();

                if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
                {
                    // Decrypts the query string and rewrites the path.
                    string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
                    string decryptedQuery = Decrypt(rawQuery);
                    context.RewritePath(path, string.Empty, decryptedQuery);
                }
                else if (context.Request.HttpMethod == "GET" || context.Request.HttpMethod == "POST")
                {
                    // Encrypt the query string and redirects to the encrypted URL.
                    // Remove if you don't want all query strings to be encrypted automatically.
                    string encryptedQuery = Encrypt(query);
                    context.Response.Redirect(path + encryptedQuery);
                }
            }
        }

Since this is a legacy website and not a very good ideia to mess around with it, HttpModule seemed to me the best solution since it encripts and decripts the querystring "automaticly".

However, like I said in previous posts, the Form Action continues to be in plain text. I would like to prevents this, or find some other solution (not envolving HTTPS).

Thank you all
My best Regards

 

[Nate Bross]

I could be wrong, but I believe that HTTPs/SSL is the only way to encrypt the Form Action.

 

[rfazendeiro]

I've been playing around with a ideia of adding a checksum to the end of the querystring.

The ideia is using a key plus the ID's of the querystring and encript it and add it at the end of the QS.

so an url would be something like this

http://someurl.com/product.aspx?enc=fSDFRGsdfsfsd23"$23WQEq21sadasDA$WADasd&checksum=SSADssd233

(enc values in the querystring was totally randomed my me. It's just an example)

So even if the user see's the FORM Action and tries to change the values I will always check the Checksum and see if the QS was changed.

And maybe it's a good ideia to hide the checksum inside the enc so user wont even know it's there. And since i only add the checksum in the HttpModule it wont be visible in Form action.

 

[Nate Bross]

That will still only give you security through obscurity...

If your desired result is only to prevent user from tampering with URLs this, IMO is sufficent.

Just so that you know, it's not near as good as HTTPs/SSL.

 

[rfazendeiro]

yes, i just need to prevent user from playing with URL's. I know that HTTPs/SSL is the way to go if i need "full protection" but for what i need it's a little overkill.

thanks for all the replies and help

 

[PlausiblyDamp]

If you do not want the user to be ablse to mess with query strings then perhaps query strings are not the solution, either session state or post back fields may be a better choice.

 

[JohnsHandle]

The idea of encrypting the URL to prevent the user modifying is as Nate says is security through obscurity and any links in your website that accidently exposed the real argument names would render it completely useless.
If you really need security for you site I think you’d have to use asp.net security and authorisation. You’ll find it a lot more secure and well supported.

If you only want to store some information in the page that users can not alter or see then the view state would be the ideal candidate for this, which is encrypted by default.

@Nate. HTTPs wouldn’t prevent the client altering the URL/Form values. It would only stop a 3rd party getting access to it. I ‘think’ in this case rfazendeiro doesn’t trust his users.

 

[rfazendeiro]

well the problem, as i said, is that this website is legacy and no one really wants to mess around with it because its realy big and sensitive to changes (nice words to says it's was poorly constructed).

So this solution that i found to automatic encription/decription was a way to not have to mess with the code already written.

normally i just use, like you guys said, session state and view state to hide sensible information but in this case the refactoing was too big and as always to little time to do it :/

Thx guys for the replies. Was really useful