WebRequest Parameter Utility
A library used to encapsulate web request parameters to keep them from prying eyes and to prevent injection of unwanted data.
Introduction
The WebParam class is used to encapsulate one or more web request parameters into a single request parameter. This class also provides security using message authentication to ensure that the transported data has not been tampered with during transport.
Normally, a web request with parameters looks like this:
www.mydomain.com/myweb/page.aspx?ID=1234&name=jasmine
In this example, use can change the value (since this is visible in the address bar of the web browser) of ID or name before actually performing the request. An additional precautionary measure will then be needed just to address this kind of situation.
Using the the ParamUtils.WebParam class, a web address will be displayed like this:
www.mydomain.com/myweb/page.aspx?data=JmlkPTEyMzQmbmFtZT1yYW5keg%3d%3d-t0j9KL4WQHs%3d
Any changes on the value of the parameter "data" will raise an exception, signifying that the data has been tampered. This eliminates the chance of tampering the data from the referring page before it is passed to the consumer page.
Using the Code
To use the code, add a reference to ParamUtils.dll on your web application project. This library contains the ParamUtils.WebParam class.
These are the two public methods that can be used in this class:
Encode(System.Web.UI.Pair[])GetQuery(string, string)
The example below shows how to use the Encode method:
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
hl.NavigateUrl = "Default2.aspx?data=" +
ParamUtils.WebParam.Encode(new Pair("id", "1234"),
new Pair("name", "jasmine"));
}
}
As you can see, the ParamUtils.WebParam.Encode method can accept zero or more Pair parameters. Please take note that the ParamUtils.WebParam.Encode class uses Pair.First to store the name of the request parameter and Pair.Second to store the value of the request parameter.
To retrieve the value of the request parameters passed through the ParamUtils.WebParam.Encode method, the method ParamUtils.WebParam.GetQuery will be used. See the example below:
public partial class Default2 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
try
{
Response.Write("ID: " +
ParamUtils.WebParam.GetQuery(
Request.Params["data"].ToString(), "id") + "<br>");
Response.Write("Name: " +
ParamUtils.WebParam.GetQuery(
Request.Params["data"].ToString(), "name") + "<br>");
}
catch (ArgumentException ex)
{
Response.Write("Argument Exception caught: " + ex.Message);
}
catch (Exception ex)
{
Response.Write("General Exception caught: " + ex.Message);
}
}
}
}
ParamUtils.WebParam.GetQuery throws an ArgumentException when the query name is not found in the request parameter. It also throws a general Exception with the message "Invalid query string" when the data has been changed and/or corrupted during transport. This ensures that the data from the referring page is not modified before being passed to the consumer page.
Points of Interest
The WebParam class uses System.Security.Cryptography.MACTripleDES and System.Security.Cryptography.MD5CryptoServiceProvider to encode the request parameter values. The value of the Key property of MACTripleDES comes from the MD5 hash of a public property HashKey. You can specify the value of this key anywhere, as long as the assignment is done before the actual use of Encode and GetQuery. I suggest that you put it inside the global.asax inside Application_Start. See the sample below:
void Application_Start(object sender, EventArgs e)
{
ParamUtils.WebParam.HashKey = ConfigurationManager.AppSettings["key"];
}
If you are too lazy to provide a HashKey value ;-), don't worry, WebParam just uses the default value. Also, please take note that the HashKey value should not be changed between calls to Encode and GetQuery.
Encryption of the key values in the config file is not covered in this article; you can find some ideas on the following links:
- Encrypt and Decrypt ConnectionStrings in app.config and/or web.config! by Dariush Tasdighi
- Enhanced and Secure Connection Strings in Web.Config by Vasudevan Deepak Kumar
Credits
This article includes ideas from some code snippets from the public domain. Some ideas also sparked from an article in 4guysfromrolla.
History
- September 6, 2007 - Initial version.