Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (30)

Query string encryption for ASP.NET

By , 7 May 2008
 

Introduction

Using query strings to send data from the browser to the server is a widespread approach. Giving the visitor of a web application the opportunity of modifying query strings by transmitting them in clear text, is certainly a potential security threat.

Thus, I encourage developers to encrypt query strings, even if they do not contain confidential data. However, I am aware that it is still possible to alternate an encrypted query string, but with an appropriate exception handling, this is harmless.

Background

To keep this article simple, I used a contradictable encryption (DES encoding), though any cutting-edge encryption can be easily applied to the samples given.

Using the code

So, let's get down to business. The main part of the presented solution consists of a HttpModule which decrypts the query string and hence provides the page request with the ordinary unencrypted query strings:

using System;
using System.Web;
using System.Web.Configuration;

namespace SmartSoft.QueryStringEncryption
{
    /// <summary>
    /// Http module that handles encrypted query strings.
    /// </summary>
    public class CryptoQueryStringUrlRemapper : IHttpModule
    {
        #region IHttpModule Members

        /// <summary>
        /// Initialize the http module.
        /// </summary>
        /// <param name="application">Application,
        ///           that called this module.</param>
        public void Init(HttpApplication application)
        {
            // Attach the acquire request state event
            // to catch the encrypted query string
            application.AcquireRequestState += application_AcquireRequestState;
        }

        public void Dispose()
        {}
    
        #endregion

        /// <summary>
        /// Event, that is called when the application acquires the request state.
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        public void application_AcquireRequestState(object sender, EventArgs e)
        {
            // Get http context from the caller.
            HttpApplication application = (HttpApplication) sender;
            HttpContext context = application.Context;

            // Check for encrypted query string
            string encryptedQueryString = context.Request.QueryString["request"];
            if (!string.IsNullOrEmpty(encryptedQueryString))
            {
                // Decrypt query strings
                string cryptoKey = WebConfigurationManager.AppSettings["CryptoKey"];
                string decryptedQueryString = 
                  CryptoQueryStringHandler.DecryptQueryStrings(encryptedQueryString, 
                                                               cryptoKey);
                context.Server.Transfer(
                  context.Request.AppRelativeCurrentExecutionFilePath + 
                  "?" + decryptedQueryString);
            }
        }
    }
}

As you might have noticed, if there is an encrypted query string for the current request, the module automatically terminates the execution of the current page and internally starts execution of a new request on the server.

The next step is to register the HttpModule in the web.config file:

<httpModules>
    <add name="CryptoQueryStringUrlRemapper" 
      type="SmartSoft.QueryStringEncryption.CryptoQueryStringUrlRemapper"/>
</httpModules>

Last but not least, do not forget to encrypt query strings before sending them back to the server:

private void PrepareSendButton()
{
    NameValueCollection queryStrings = new NameValueCollection();
    queryStrings.Add("param1", "Test1");
    queryStrings.Add("param2", "Test2");
    queryStrings.Add("param3", "Test3");

    // Encrypt query strings
    string encryptedString = CryptoQueryStringHandler.EncryptQueryStrings(
      queryStrings, WebConfigurationManager.AppSettings["CryptoKey"]);
    btnSendParams.PostBackUrl = string.Concat("~/Default.aspx?", encryptedString);
}

As outlined earlier in this article, the encryption class can be easily replaced by any other encryption class. A full running sample can be downloaded above.

Important issue

The method DecryptQueryStrings in the CryptoQueryStringHandler contains the following line :

return Encryption64.Decrypt(encryptedStrings.Replace(" ", "+"), key);

For unknown reasons, the request replaces every '+' character in the query with an empty character.

History

  • 30.04.2008 - First version (deleted -> was not possible to modify, why ever...).
  • 01.05.2008 - Re-released updated article.
  • 08.05.2008 - BeginRequest event in the HttpModule changed to AcquireRequestState in order to support Session data.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Michael Ulmann
Architect Helvetic Solutions
Australia Australia
Member
MCAD, MCPD Web Developer 2.0, MCPD Enterprise Developer 3.5
My company: www.helveticsolutions.com
Hopp Schwiiz Smile | :)

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First PrevNext
SuggestionQuery String encryption does not work when page is post back.membereli86200614 Mar '13 - 2:45 
GeneralRe: Query String encryption does not work when page is post back.memberFarhad Hazraty Eini24 Apr '13 - 18:58 
Questionproblem when page postback event fire, it shows plain text in Urlmemberjitendra77719 Oct '11 - 19:52 
AnswerRe: problem when page postback event fire, it shows plain text in Urlmembereli86200614 Mar '13 - 2:46 
GeneralFor unknown reasons, the request replaces every '+' character in the query with an empty character.memberya3mro28 Jul '10 - 10:15 
GeneralA code free approachmemberZiad J.khan26 Mar '10 - 0:52 
GeneralOutput Caching not working in conjunction with query string encryption.memberjellyfish728 Sep '09 - 13:35 
This screws up output caching.
 
If you output cache based on a query string variable or wildcard "*", the output cache does not work due to query string encryption code calling the server.transfer and then executing code-behind again instead of outputting cache.
 
Server.Execute instead of Server.Transfer seemed to fix it, but now I'm having issues with another project posting back twice; havn't figured out why some pages post back once and some twice with this setup.
Sign In·View Thread·Permalink
GeneralSerious issue with encodingmembersrouss2 Jun '09 - 23:57 
GeneralThere is a major problem with this approachmemberOrionDR20 Mar '09 - 5:44 
QuestionCan still alter query string and decryption goes through and returs invalid charactorsmemberNimendra29 Sep '08 - 19:55 
GeneralAuto-Encrypting QueryStrings before ResponsememberRuchit Surati8 May '08 - 9:51 
GeneralRe: Auto-Encrypting QueryStrings before Responsemembercijothomas10 Jul '09 - 3:59 
GeneralRe: Auto-Encrypting QueryStrings before ResponsememberRuchit S.10 Jul '09 - 4:21 
GeneralSession StatememberAllan Eagle7 May '08 - 4:14 
GeneralRe: Session StatememberMichael Ulmann7 May '08 - 17:47 
GeneralQuerystring decrypting on postbackmemberLordGentle6 May '08 - 9:25 
GeneralRe: Querystring decrypting on postbackmemberMichael Ulmann6 May '08 - 12:10 
GeneralRe: Querystring decrypting on postbackmemberkraazee118 Jul '11 - 8:02 
RantCompletely unnecessarymemberTrumpi1 May '08 - 0:10 
GeneralRe: Completely unnecessarymemberAndyM772 May '08 - 6:52 
GeneralRe: Completely unnecessarymemberMR_SAM_PIPER7 May '08 - 14:33 
GeneralRe: Completely unnecessarymemberMichael Ulmann7 May '08 - 17:32 
GeneralRe: Completely unnecessarymemberMatt Sollars13 May '08 - 3:18 
GeneralRe: Completely unnecessarymemberwk63313 May '08 - 4:29 
GeneralNo Completelymember Clickok 2 May '08 - 11:50 
Last Visit: 31 Dec '99 - 18:00     Last Update: 25 May '13 - 2:25Refresh12 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
Clear text query strings are a potential security threat for your web application. Thus, query strings should always be encrypted.
Type Article
Licence CPOL
First Posted 30 Apr 2008
Views 112,754
Downloads 2,318
Bookmarked 88 times

, +
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
Entity Framework: Query Options Part 1
Entity Framework: Query Options Part 2
Encrypting Query Strings
Encrypt Password Field in SQL Server, Registry Information & Query String
Scramble Your Query Strings
Client/Server Encryption plus extras
RSA Interoperability between JavaScript and RSACryptoServiceProvider - Form Login Example
ASP.NET - reCAPTCHA Mailhide
Global Query String Encryption
Tamper Proof Query String
The Anatomy of Forms Authentication
.NET Encryption Simplified
Encryption of Connection Strings Inside the Web.config in ASP.NET 2.0
SharpPrivacy - OpenPGP for C#
ASP.NET data encryption / decryption made easy
The Art & Science of Storing Passwords
Understanding SQL Injection and Creating SQL Injection Proof ASP.NET Applications
Query Notification using SqlDependency and SqlCacheDependency
DPAPI and Triple DES: A powerful combination to secure connection strings and other application settings
Client-Side State Management Objects
Encryption/Decryption Function in .NET using the TripleDESCryptoServiceProvider Class
ASP.NET Controls to prevent automatic registrations from bots
Permalink | Advertise | Privacy | Mobile
Web04 | 2.6.130523.1 | Last Updated 7 May 2008
Article Copyright 2008 by Michael Ulmann
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid