URL Encryption in ASP.NET

Sudhakarj21
Posted by in ASP.NET category on for Beginner level | Views : 56895 red flag
Rating: 3.5 out of 5  
 2 vote(s)

Security is one of the key concerns in web applications. To maintain state we use many mechanisms and Query String is also one. If Query string holds any sensitive data it may lead to SQL Injection or accessing some other user’s data by just updating the Query String


 Download source code for URL Encryption in ASP.NET

Introduction

Let’s consider a simple web site where we are having a page which shows Employee Details including PI information like Social Security Number etc… And this page will be used only by HR or the particular employee only. Employee will see only his data and the Employee ID is maintained in Query String.

What happens if I changed the Query string from ID = 1 to ID=2 I will be able to see other Employee details which will raise security issue.

Below is the sample URL of the Employee page

http://test/Employee.asp?ID=1
http://test/Employee.asp?ID=2

Etc… any one can change the ID in the Query String. To avoid this situation we use different modes to maintain the ID in Session or some other place where the end user cannot change it. Say for example if you want to continue to use Query string to maintain state using encryption the below details will help you

Query String Encryption

 

To do Query Encryption we should use 2 scenarios. We should encrypt the URL and rewrite the URL with the encrypted one. To do this we can place logic in Global.asax and handle this at Begin & End Request events. But let’s use HttpModule to do that which can be easily pluggable to your application.

Below diagram illustrates this concept

As shown in the above diagram user will be shown with Encrypted String which will not be in an understandable format. Below are the details done by the URL Encryption Module.

Begin Request Event

• Validates the Query String
• Decrypts the Query String
• Rewrites the URL Path so that Page can use the Query string in a normal way

End Request Event

• Encrypts the Query String if any & Rewrites the Encrypted URL to Response during Redirect
• We also need to update action attribute to support post back scenario at page level. Need to update URL reference in Page Action to point to encrypted one.

Below is the sample code to do it.


Http Module

public void Init(HttpApplication context)
    {
        context.BeginRequest += new EventHandler(context_BeginRequest);
        context.EndRequest += new EventHandler(context_EndRequest);
    }

    void context_EndRequest(object sender, EventArgs e)
    {
        if (HttpContext.Current.Response.IsRequestBeingRedirected)
        {
            HttpContext.Current.Response.RedirectLocation = Encrypt(HttpContext.Current.Response.RedirectLocation);
      HttpContext.Current.Response.ClearContent();
        }
    }

    void context_BeginRequest(object sender, EventArgs e)
    {
        if (HttpContext.Current.Request.Url.ToString().Contains("?value"))
        {
            HttpContext.Current.RewritePath(Decrypt(HttpContext.Current.Request.Url.ToString()));
        }
        else if(HttpContext.Current.Request.Url.ToString().Contains("?"))
        {
            throw new HttpException("Not Valid Request");
        }
    }

Page (This is supported only in 3.5 SP1 use Form.Attributes[“action”] for previous version)

Form.Action = QuertStringModule.Encrypt(Request.Url.ToString());


Config Changes

<httpModules>
   <add name="QuertStringModule" type="QuertStringModule"/>
   ….
  </httpModules>

Conclusion

Below is the HTTP Trace for a simple scenario where Default.aspx will redirect to Employee.aspx?ID=1

Below is the Action content of Employee.aspx page


ID=1 is never exposed to user and the data is secured in all the scenarios. If you want to make use this in production check other request also as this sample code is only for .aspx you may need to update it to check images or other types.

Page copy protected against web site content infringement by Copyscape

About the Author

Sudhakarj21
Full Name: Sudhakar Kottapalli
Member Level: Bronze
Member Status: Member
Member Since: 10/5/2009 7:05:50 AM
Country:



Login to vote for this post.

Comments or Responses

Posted by: Schatak on: 12/4/2010 | Points: 25
Nice article
but have a question
where to get reference of Encrypt and Decrypt methods??
Please help
Posted by: Schatak on: 12/4/2010 | Points: 25
ya i got it from your attachment...thanks so much for the article..i was looking for this..
Thanks

Login to post response

Comment using Facebook(Author doesn't get notification)