Query string module encryption not working properly

Question

5.00/5 (1 vote)

See more:

, +

I've created a login page with some simple SQL query function & i'm trying to encrypt my URL query string, but it seems there's some problem with it, everytime after i used my "button" function the URL reveals itself. May i know what's the problem with me coding? Remark: I've putted "QueryStringModule" at the web config system.web & system.webServer

Here's the QueryStringModule.cs code i used:

C#

#region Using
using System;
using System.IO;
using System.Web;
using System.Text;
using System.Security.Cryptography;

#endregion

/// <summary>
/// Summary description for QueryStringModule
/// </summary>
public class QueryStringModule : IHttpModule
{

#region IHttpModule Members

public void Dispose()
{
    // Nothing to dispose
}

public void Init(HttpApplication context)
{
    context.BeginRequest += new EventHandler(context_BeginRequest);
}

#endregion

private const string PARAMETER_NAME = "enc=";
private const string ENCRYPTION_KEY = "key";

void context_BeginRequest(object sender, EventArgs e)
{
    HttpContext context = HttpContext.Current;
    if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
    {
        string query = ExtractQuery(context.Request.RawUrl);
        string path = GetVirtualPath();

        if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
        {
            // Decrypts the query string and rewrites the path.
            string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
            string decryptedQuery = Decrypt(rawQuery);
            context.RewritePath(path, string.Empty, decryptedQuery);
        }
        else if (context.Request.HttpMethod == "GET")
        {
            // Encrypt the query string and redirects to the encrypted URL.
            // Remove if you don't want all query strings to be encrypted automatically.
            string encryptedQuery = Encrypt(query);
            context.Response.Redirect(path + encryptedQuery);
        }
    }
}

/// <summary>
/// Parses the current URL and extracts the virtual path without query string.
/// </summary>
/// <returns>The virtual path of the current URL.</returns>
private static string GetVirtualPath()
{
    string path = HttpContext.Current.Request.RawUrl;
    path = path.Substring(0, path.IndexOf("?"));
    path = path.Substring(path.LastIndexOf("/") + 1);
    return path;
}

/// <summary>
/// Parses a URL and returns the query string.
/// </summary>
/// <param name="url">The URL to parse.</param>
/// <returns>The query string without the question mark.</returns>
private static string ExtractQuery(string url)
{
    int index = url.IndexOf("?") + 1;
    return url.Substring(index);
}

#region Encryption/decryption

/// <summary>
/// The salt value used to strengthen the encryption.
/// </summary>
private readonly static byte[] SALT = Encoding.ASCII.GetBytes(ENCRYPTION_KEY.Length.ToString());

/// <summary>
/// Encrypts any string using the Rijndael algorithm.
/// </summary>
/// <param name="inputText">The string to encrypt.</param>
/// <returns>A Base64 encrypted string.</returns>
public static string Encrypt(string inputText)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    byte[] plainText = Encoding.Unicode.GetBytes(inputText);
    PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);

    using (ICryptoTransform encryptor = rijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16)))
    {
        using (MemoryStream memoryStream = new MemoryStream())
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
            {
                cryptoStream.Write(plainText, 0, plainText.Length);
                cryptoStream.FlushFinalBlock();
                return "?" + PARAMETER_NAME + Convert.ToBase64String(memoryStream.ToArray());
            }
        }
    }
}

/// <summary>
/// Decrypts a previously encrypted string.
/// </summary>
/// <param name="inputText">The encrypted string to decrypt.</param>
/// <returns>A decrypted string.</returns>
public static string Decrypt(string inputText)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    byte[] encryptedData = Convert.FromBase64String(inputText);
    PasswordDeriveBytes secretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);

    using (ICryptoTransform decryptor = rijndaelCipher.CreateDecryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
    {
        using (MemoryStream memoryStream = new MemoryStream(encryptedData))
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
            {
                byte[] plainText = new byte[encryptedData.Length];
                int decryptedCount = cryptoStream.Read(plainText, 0, plainText.Length);
                return Encoding.Unicode.GetString(plainText, 0, decryptedCount);
            }
        }
    }
}

#endregion

}

Here's the code of my button function:

cä

protected void Button1_Click(object sender, EventArgs e)
{
   string sONbr = sONbrTextBox.Text;
   string SOLine = sOLineTextBox.Text;
   string SerialNbr = serialNbrTextBox.Text;
   string PalletID = palletIDTextBox.Text;
   string PackingListNo = PackingListNoTextBox.Text;
   string StatusCode = statusCodeComboBox.Text;
   string PackType = packTypeComboBox.Text;
   string CrUserID = Request.QueryString["LogInUser"].ToString();

   if (string.IsNullOrWhiteSpace(sONbr) || string.IsNullOrWhiteSpace(SOLine) || string.IsNullOrWhiteSpace(PalletID) || string.IsNullOrWhiteSpace(PackingListNo) || string.IsNullOrWhiteSpace(StatusCode) || string.IsNullOrWhiteSpace(PackType))
   {
      status_lbl.Text = "Please fill in all the information.";
      status_lbl.Visible = true;
      GridView1.Visible = false;
      return;
   }
   else if (string.IsNullOrWhiteSpace(CrUserID))
   {
      status_lbl.Text = "Please login your account!";
      status_lbl.Visible = true;
      ClientScript.RegisterStartupScript(Page.GetType(), "validation", "<script language='javascript'>alert('Please login your account!')</script>");
      Response.Redirect("Login Page.aspx");
      GridView1.Visible = false;
      return;
   }
   else
   {
      SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["constr_TESTINGSystem"].ToString());
      conn.Open();

      SqlCommand comm = conn.CreateCommand();
      comm.CommandType = CommandType.StoredProcedure;
      comm.CommandText = "usp_TagNumberUpdate";

      comm.Parameters.AddWithValue("@sONbr", sONbr);
      comm.Parameters.AddWithValue("@SOLine", SOLine);
      comm.Parameters.AddWithValue("@SerialNbr", SerialNbr);
      comm.Parameters.AddWithValue("@PalletID", PalletID);
      comm.Parameters.AddWithValue("@PackingListNo", PackingListNo);
      comm.Parameters.AddWithValue("@StatusCode", StatusCode);
      comm.Parameters.AddWithValue("@PackType", PackType);
      comm.Parameters.AddWithValue("@CrUserID", CrUserID);

      SqlParameter ReturnVal = comm.Parameters.Add("@return", SqlDbType.NVarChar,200);
      ReturnVal.Direction = ParameterDirection.Output;

      comm.ExecuteNonQuery();

      string val = (string)ReturnVal.Value;

      conn.Close();
      status_lbl.Text = val;
      status_lbl.Visible = true;
      CheckBox1.Checked = false;
      serialNbrTextBox.ReadOnly = true;
      serialNbrTextBox.BackColor = System.Drawing.ColorTranslator.FromHtml("#A9A9A9");
      serialNbrTextBox.Text = "N/A";
      sONbrTextBox.Text = sOLineTextBox.Text = palletIDTextBox.Text = PackingListNoTextBox.Text = "";
      GridView1.Visible = false;
   }
}

protected void Button2_Click(object sender, EventArgs e)
{
   string sONbr = sONbrTextBox.Text;
   string SOLine = sOLineTextBox.Text;
   string SerialNbr = serialNbrTextBox.Text;

   if (string.IsNullOrWhiteSpace(sONbr) || string.IsNullOrWhiteSpace(SOLine) || string.IsNullOrWhiteSpace(SerialNbr))
   {
      status_lbl.Text = "Please fill in SO #, SO LINE & SERIAL NO to check record.";
      status_lbl.Visible = true;
      GridView1.Visible = false;
      return;
   }
   else
   {
      status_lbl.Text = "Inquiry Successful!";
      status_lbl.Visible = true;
      GridView1.Visible = true;
   }
}

Posted 30-Dec-13 2:16am

Alvan Khong

Updated 24-Jun-18 20:50pm

Nelek

v4

Add a Solution

Comments

ZurdoDev 30-Dec-13 11:12am

Are you trying to encrypt the whole query string or individual values?

Alvan Khong 30-Dec-13 13:37pm

The whole query string.

ZurdoDev 30-Dec-13 14:24pm

I don't understand what you mean that after your button function the url reveals itself. I guess you mean you click the button and the url is briefly displayed? If so, I don't think you can get around that. It's a security feature of the browser to prevent spoofing.

Alvan Khong 31-Dec-13 0:11am

when i login my URL was something like this!

http://localhost:53815/Main.aspx?enc=aflHfXfh87xB29VhJx42zeYbAV/Ft6IHRA1TXHamETMeigA2Cwfiwh2gn4upy++7itBBICXzfxlq41PAkbs2Rw==

After i use my button function the URL become like this!

http://localhost:53815/Main.aspx?LogInUser=admin&Result=1

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ) 30-Dec-13 13:36pm

Put debuggers and check where exactly it is creating problems?

Alvan Khong 31-Dec-13 0:13am

I've already do a debuggers check it seems that after finish looping the button function until the end of the } then only the URL change!

Nafish khan 13-Jun-14 8:16am

I am using same code for URL encryption,Code is working fine for almost all the URLs but there is one URL which is having issue.
The issue is due to string query = ExtractQuery(context.Request.RawUrl); code.
HttpContext.Current.Request.RawUrl is not returning proper url.
for eg :
Actual URL-- http://abc.com/XIA/PX/Product/Product.aspx?ID=13&PID=15408&nID=18652&pageID=27624
URL Having Issue--/XIA/PX/Product/ProductOverview.aspx?enc=ON7YuUnmSi4FyCWsVcTQy4Al8g0g4gUbHiAo/lXe/HpebVBLQWEK6/IKP42TACTTnZkOTOjiFaY5rrm8bArbEnyxeIkAhYKu89Yfbtxb52g=&pageID=87654"

svkrajesh 17-Jan-17 3:58am

if u see in developer window, actual query string is visible and it just showing encrypted in address bar. how to make work in developer tools also

Adil Deveci 29-May-18 4:42am

this code only works when the http get
it does not work when the page is postback.
and it is not working when we use Server.Transfer.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)