rfazendeiro Posted November 26, 2008 Posted November 26, 2008 (edited) Hello! I wrote a HttpModule for query string encryption so i could just encrypt automaticly the querystring when submiting pages and decrypt it back (automaticly too). I have this up and running and works perfectly for the querystring but I came into a problem. With a simple application like Fiddler i could see the request made by the website and i had a little suprise. The Form Action property was plain text so with very little work anyone could just see the actual query string decrypted. I've been looking around but still havent found a solution. How can i encript the Form Action too? thank you all Edited November 26, 2008 by rfazendeiro Quote
Nate Bross Posted November 26, 2008 Posted November 26, 2008 I'm not sure if there is anything you can do without going to HTTPS/SSL and buying a certificate from a CA such as Thawt, or Entrust, or one of those. Quote ~Nate� ___________________________________________ Please use the [vb]/[cs] tags on posted code. Please post solutions you find somewhere else. Follow me on Twitter here.
rfazendeiro Posted November 27, 2008 Author Posted November 27, 2008 thank you for the response. Then why the hell encrypt a querystring?? just to keep the normal users from messing with the url? those users are not the problem and a more curious user easly analises the requests. there's got to be a way to enconde the action form Quote
JohnsHandle Posted December 3, 2008 Posted December 3, 2008 If you need to protected the data the user enters than I think Nate Bross is right. HTTPS is your best bet. Any sort of client side code to encrypt it before posting the form is going to be easy to reverse engineer. Could you explain more about what you are trying to encrypt as I don�t understand how you can be using a HttpModule to encrypt the query string before submitting the form. Quote
rfazendeiro Posted December 9, 2008 Author Posted December 9, 2008 well HTTPS i think is a little too much for what i need. I'm just trying to implement an extra security so that users cant change the url so easy. imagine this url: http://someurl.com/product.aspx?productid=4&categoryid=3 So i wanna encrypt this querystring so the user cant play around with the ID's from products and category. so what i did was implement a HttpModule public class QueryStringModule : IHttpModule { public void Dispose() { // Nothing to dispose } public void Init(HttpApplication context) { context.BeginRequest += context_BeginRequest; } //The keys will not be here. Just to illustrate my point private const string PARAMETER_NAME = "enc="; private const string ENCRYPTION_KEY = "key"; void context_BeginRequest(object sender, EventArgs e) { HttpContext context = HttpContext.Current; if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?")) { string query = ExtractQuery(context.Request.RawUrl); string path = GetVirtualPath(); if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase)) { // Decrypts the query string and rewrites the path. string rawQuery = query.Replace(PARAMETER_NAME, string.Empty); string decryptedQuery = Decrypt(rawQuery); context.RewritePath(path, string.Empty, decryptedQuery); } else if (context.Request.HttpMethod == "GET" || context.Request.HttpMethod == "POST") { // Encrypt the query string and redirects to the encrypted URL. // Remove if you don't want all query strings to be encrypted automatically. string encryptedQuery = Encrypt(query); context.Response.Redirect(path + encryptedQuery); } } } Since this is a legacy website and not a very good ideia to mess around with it, HttpModule seemed to me the best solution since it encripts and decripts the querystring "automaticly". However, like I said in previous posts, the Form Action continues to be in plain text. I would like to prevents this, or find some other solution (not envolving HTTPS). Thank you all My best Regards Quote
Nate Bross Posted December 9, 2008 Posted December 9, 2008 I could be wrong, but I believe that HTTPs/SSL is the only way to encrypt the Form Action. Quote ~Nate� ___________________________________________ Please use the [vb]/[cs] tags on posted code. Please post solutions you find somewhere else. Follow me on Twitter here.
rfazendeiro Posted December 9, 2008 Author Posted December 9, 2008 I've been playing around with a ideia of adding a checksum to the end of the querystring. The ideia is using a key plus the ID's of the querystring and encript it and add it at the end of the QS. so an url would be something like this http://someurl.com/product.aspx?enc=fSDFRGsdfsfsd23"$23WQEq21sadasDA$WADasd&checksum=SSADssd233 (enc values in the querystring was totally randomed my me. It's just an example) So even if the user see's the FORM Action and tries to change the values I will always check the Checksum and see if the QS was changed. And maybe it's a good ideia to hide the checksum inside the enc so user wont even know it's there. And since i only add the checksum in the HttpModule it wont be visible in Form action. Quote
Nate Bross Posted December 9, 2008 Posted December 9, 2008 That will still only give you security through obscurity... If your desired result is only to prevent user from tampering with URLs this, IMO is sufficent. Just so that you know, it's not near as good as HTTPs/SSL. Quote ~Nate� ___________________________________________ Please use the [vb]/[cs] tags on posted code. Please post solutions you find somewhere else. Follow me on Twitter here.
rfazendeiro Posted December 10, 2008 Author Posted December 10, 2008 yes, i just need to prevent user from playing with URL's. I know that HTTPs/SSL is the way to go if i need "full protection" but for what i need it's a little overkill. thanks for all the replies and help Quote
Administrators PlausiblyDamp Posted December 10, 2008 Administrators Posted December 10, 2008 If you do not want the user to be ablse to mess with query strings then perhaps query strings are not the solution, either session state or post back fields may be a better choice. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
JohnsHandle Posted December 10, 2008 Posted December 10, 2008 The idea of encrypting the URL to prevent the user modifying is as Nate says is security through obscurity and any links in your website that accidently exposed the real argument names would render it completely useless. If you really need security for you site I think you�d have to use asp.net security and authorisation. You�ll find it a lot more secure and well supported. If you only want to store some information in the page that users can not alter or see then the view state would be the ideal candidate for this, which is encrypted by default. @Nate. HTTPs wouldn�t prevent the client altering the URL/Form values. It would only stop a 3rd party getting access to it. I �think� in this case rfazendeiro doesn�t trust his users. Quote
rfazendeiro Posted December 11, 2008 Author Posted December 11, 2008 well the problem, as i said, is that this website is legacy and no one really wants to mess around with it because its realy big and sensitive to changes (nice words to says it's was poorly constructed). So this solution that i found to automatic encription/decription was a way to not have to mess with the code already written. normally i just use, like you guys said, session state and view state to hide sensible information but in this case the refactoing was too big and as always to little time to do it :/ Thx guys for the replies. Was really useful Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.