Click here to Skip to main content
11,502,547 members (36,439 online)
Click here to Skip to main content

Query string encryption for ASP.NET

, 15 Nov 2014 CPOL 149.7K 3.2K 101
Rate this:
Please Sign up or sign in to vote.
Clear text query strings are a potential security threat for your web application. Thus, query strings should always be encrypted.

Introduction

Using query strings to send data from the browser to the server is a widespread approach. Giving the visitor of a web application the opportunity of modifying query strings by transmitting them in clear text, is certainly a potential security threat.

Thus, I encourage developers to encrypt query strings, even if they do not contain confidential data. However, I am aware that it is still possible to alternate an encrypted query string, but with an appropriate exception handling, this is harmless.

Background

To keep this article simple, I used a contradictable encryption (DES encoding), though any cutting-edge encryption can be easily applied to the samples given.

Using the code

So, let's get down to business. The main part of the presented solution consists of a HttpModule which decrypts the query string and hence provides the page request with the ordinary unencrypted query strings:

using System;
using System.Web;
using System.Web.Configuration;

namespace HelveticSolutions.QueryStringEncryption
{
    /// <summary>
    /// Http module that handles encrypted query strings.
    /// </summary>
    public class CryptoQueryStringUrlRemapper : IHttpModule
    {
        #region IHttpModule Members

        /// <summary>
        /// Initialize the http module.
        /// </summary>
        /// <param name="application">Application,
        ///           that called this module.</param>
        public void Init(HttpApplication application)
        {
            // Attach the acquire request state event
            // to catch the encrypted query string
            application.AcquireRequestState += application_AcquireRequestState;
        }

        public void Dispose()
        {}
    
        #endregion

        /// <summary>
        /// Event, that is called when the application acquires the request state.
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        public void application_AcquireRequestState(object sender, EventArgs e)
        {
            // Get http context from the caller.
            HttpApplication application = (HttpApplication) sender;
            HttpContext context = application.Context;

            // Check for encrypted query string
            string encryptedQueryString = context.Request.QueryString["request"];
            if (!string.IsNullOrEmpty(encryptedQueryString))
            {
                // Decrypt query strings
                string cryptoKey = WebConfigurationManager.AppSettings["CryptoKey"];
                string decryptedQueryString = 
                  CryptoQueryStringHandler.DecryptQueryStrings(encryptedQueryString, 
                                                               cryptoKey);
                context.Server.Transfer(
                  context.Request.AppRelativeCurrentExecutionFilePath + 
                  "?" + decryptedQueryString);
            }
        }
    }
}

As you might have noticed, if there is an encrypted query string for the current request, the module automatically terminates the execution of the current page and internally starts execution of a new request on the server.

The next step is to register the HttpModule in the web.config file:

<httpModules>
    <add name="CryptoQueryStringUrlRemapper" 
      type="HelveticSolutions.QueryStringEncryption.CryptoQueryStringUrlRemapper"/>
</httpModules>

Last but not least, do not forget to encrypt query strings before sending them back to the server:

private void PrepareSendButton()
{
    NameValueCollection queryStrings = new NameValueCollection();
    queryStrings.Add("param1", "Test1");
    queryStrings.Add("param2", "Test2");
    queryStrings.Add("param3", "Test3");

    // Encrypt query strings
    string encryptedString = CryptoQueryStringHandler.EncryptQueryStrings(
      queryStrings, WebConfigurationManager.AppSettings["CryptoKey"]);
    btnSendParams.PostBackUrl = string.Concat("~/Default.aspx?", encryptedString);
}

As outlined earlier in this article, the encryption class can be easily replaced by any other encryption class. A full running sample can be downloaded above.

Important issue

The method DecryptQueryStrings in the CryptoQueryStringHandler contains the following line :

return Encryption64.Decrypt(encryptedStrings.Replace(" ", "+"), key); 

For unknown reasons, the request replaces every '+' character in the query with an empty character.

History

  • 30.04.2008 - First version (deleted -> was not possible to modify, why ever...).
  • 01.05.2008 - Re-released updated article.
  • 08.05.2008 - BeginRequest event in the HttpModule changed to AcquireRequestState in order to support Session data.
  • 11th November 2014 - Namespace corrected

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Michael Ulmann
Architect Helvetic Solutions
Australia Australia
MCAD, MCPD Web Developer 2.0, MCPD Enterprise Developer 3.5

My company: Helvetic Solutions
My blog: Sitecore Experts

Hopp Schwiiz Smile | :)

Comments and Discussions

 
QuestionIntegrity != Confidentiality - wrong security service Pin
Member 841817317-Nov-14 3:20
memberMember 841817317-Nov-14 3:20 
Question"500 - Internal server error" when running it on the server Pin
fniles28-Aug-13 5:22
memberfniles28-Aug-13 5:22 
SuggestionQuery String encryption does not work when page is post back. Pin
eli86200614-Mar-13 2:45
membereli86200614-Mar-13 2:45 
GeneralRe: Query String encryption does not work when page is post back. Pin
Farhad Hazraty Eini24-Apr-13 18:58
memberFarhad Hazraty Eini24-Apr-13 18:58 
Questionproblem when page postback event fire, it shows plain text in Url Pin
jitendra77719-Oct-11 19:52
memberjitendra77719-Oct-11 19:52 
AnswerRe: problem when page postback event fire, it shows plain text in Url Pin
eli86200614-Mar-13 2:46
membereli86200614-Mar-13 2:46 
GeneralFor unknown reasons, the request replaces every '+' character in the query with an empty character. Pin
ya3mro28-Jul-10 10:15
memberya3mro28-Jul-10 10:15 
GeneralA code free approach Pin
Ziad J.khan26-Mar-10 0:52
memberZiad J.khan26-Mar-10 0:52 
GeneralOutput Caching not working in conjunction with query string encryption. Pin
jellyfish728-Sep-09 13:35
memberjellyfish728-Sep-09 13:35 
GeneralSerious issue with encoding Pin
srouss2-Jun-09 23:57
membersrouss2-Jun-09 23:57 
GeneralThere is a major problem with this approach Pin
OrionDR20-Mar-09 5:44
memberOrionDR20-Mar-09 5:44 
QuestionCan still alter query string and decryption goes through and returs invalid charactors Pin
Nimendra29-Sep-08 19:55
memberNimendra29-Sep-08 19:55 
GeneralAuto-Encrypting QueryStrings before Response Pin
Ruchit Surati8-May-08 9:51
memberRuchit Surati8-May-08 9:51 
GeneralRe: Auto-Encrypting QueryStrings before Response Pin
cijothomas10-Jul-09 3:59
membercijothomas10-Jul-09 3:59 
GeneralRe: Auto-Encrypting QueryStrings before Response Pin
Ruchit S.10-Jul-09 4:21
memberRuchit S.10-Jul-09 4:21 
GeneralRe: Auto-Encrypting QueryStrings before Response Pin
thewazz17-Nov-14 8:53
memberthewazz17-Nov-14 8:53 
GeneralSession State Pin
Allan Eagle7-May-08 4:14
memberAllan Eagle7-May-08 4:14 
GeneralRe: Session State Pin
Michael Ulmann7-May-08 17:47
memberMichael Ulmann7-May-08 17:47 
GeneralQuerystring decrypting on postback Pin
LordGentle6-May-08 9:25
memberLordGentle6-May-08 9:25 
GeneralRe: Querystring decrypting on postback Pin
Michael Ulmann6-May-08 12:10
memberMichael Ulmann6-May-08 12:10 
GeneralRe: Querystring decrypting on postback Pin
kraazee118-Jul-11 8:02
memberkraazee118-Jul-11 8:02 
RantCompletely unnecessary Pin
Trumpi1-May-08 0:10
memberTrumpi1-May-08 0:10 
GeneralRe: Completely unnecessary Pin
AndyM772-May-08 6:52
memberAndyM772-May-08 6:52 
GeneralRe: Completely unnecessary Pin
MR_SAM_PIPER7-May-08 14:33
memberMR_SAM_PIPER7-May-08 14:33 
GeneralRe: Completely unnecessary Pin
Michael Ulmann7-May-08 17:32
memberMichael Ulmann7-May-08 17:32 
GeneralRe: Completely unnecessary Pin
Matt Sollars13-May-08 3:18
memberMatt Sollars13-May-08 3:18 
GeneralRe: Completely unnecessary Pin
wk63313-May-08 4:29
memberwk63313-May-08 4:29 
GeneralNo Completely Pin
Clickok 2-May-08 11:50
member Clickok 2-May-08 11:50 
GeneralRe: No Completely Pin
Michael Ulmann2-May-08 13:53
memberMichael Ulmann2-May-08 13:53 
GeneralRe: Completely unnecessary (really necessary) Pin
sides_dale7-May-08 10:19
membersides_dale7-May-08 10:19 
Unfortunately many of us inherit code that was already written to pass query strings and to rewrite all of the code would cost more than many small companies are willing to spend, but they are willing to pay to have it patched. That is precisely what I will be using this code for.

If a company has an IT staff, that is one thing, but a lot of companies have hired their development out, and found that regular users are exploiting their query strings. They then want that cleared up. This simple hack solves the problem for a normal user. If you are protecting monetary assets that is one thing, but if not this is perfectly acceptable.
GeneralRe: Completely unnecessary Pin
inetfly1238-May-08 1:59
memberinetfly1238-May-08 1:59 
AnswerRe: Completely unnecessary Pin
meaningoflights7-Jan-09 18:48
membermeaningoflights7-Jan-09 18:48 
GeneralRe: Completely unnecessary Pin
Jonathan C Dickinson5-Jan-09 23:49
memberJonathan C Dickinson5-Jan-09 23:49 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.150520.1 | Last Updated 15 Nov 2014
Article Copyright 2008 by Michael Ulmann
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid