Click here to Skip to main content
15,064,166 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
I've created a login page with some simple SQL query function & i'm trying to encrypt my URL query string, but it seems there's some problem with it, everytime after i used my "button" function the URL reveals itself. May i know what's the problem with me coding? Remark: I've putted "QueryStringModule" at the web config system.web & system.webServer

Here's the QueryStringModule.cs code i used:

C#
#region Using
using System;
using System.IO;
using System.Web;
using System.Text;
using System.Security.Cryptography;

#endregion

/// <summary>
/// Summary description for QueryStringModule
/// </summary>
public class QueryStringModule : IHttpModule
{

#region IHttpModule Members

public void Dispose()
{
    // Nothing to dispose
}

public void Init(HttpApplication context)
{
    context.BeginRequest += new EventHandler(context_BeginRequest);
}

#endregion

private const string PARAMETER_NAME = "enc=";
private const string ENCRYPTION_KEY = "key";

void context_BeginRequest(object sender, EventArgs e)
{
    HttpContext context = HttpContext.Current;
    if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
    {
        string query = ExtractQuery(context.Request.RawUrl);
        string path = GetVirtualPath();

        if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
        {
            // Decrypts the query string and rewrites the path.
            string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
            string decryptedQuery = Decrypt(rawQuery);
            context.RewritePath(path, string.Empty, decryptedQuery);
        }
        else if (context.Request.HttpMethod == "GET")
        {
            // Encrypt the query string and redirects to the encrypted URL.
            // Remove if you don't want all query strings to be encrypted automatically.
            string encryptedQuery = Encrypt(query);
            context.Response.Redirect(path + encryptedQuery);
        }
    }
}

/// <summary>
/// Parses the current URL and extracts the virtual path without query string.
/// </summary>
/// <returns>The virtual path of the current URL.</returns>
private static string GetVirtualPath()
{
    string path = HttpContext.Current.Request.RawUrl;
    path = path.Substring(0, path.IndexOf("?"));
    path = path.Substring(path.LastIndexOf("/") + 1);
    return path;
}

/// <summary>
/// Parses a URL and returns the query string.
/// </summary>
/// <param name="url">The URL to parse.</param>
/// <returns>The query string without the question mark.</returns>
private static string ExtractQuery(string url)
{
    int index = url.IndexOf("?") + 1;
    return url.Substring(index);
}

#region Encryption/decryption

/// <summary>
/// The salt value used to strengthen the encryption.
/// </summary>
private readonly static byte[] SALT = Encoding.ASCII.GetBytes(ENCRYPTION_KEY.Length.ToString());

/// <summary>
/// Encrypts any string using the Rijndael algorithm.
/// </summary>
/// <param name="inputText">The string to encrypt.</param>
/// <returns>A Base64 encrypted string.</returns>
public static string Encrypt(string inputText)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    byte[] plainText = Encoding.Unicode.GetBytes(inputText);
    PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);

    using (ICryptoTransform encryptor = rijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16)))
    {
        using (MemoryStream memoryStream = new MemoryStream())
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
            {
                cryptoStream.Write(plainText, 0, plainText.Length);
                cryptoStream.FlushFinalBlock();
                return "?" + PARAMETER_NAME + Convert.ToBase64String(memoryStream.ToArray());
            }
        }
    }
}

/// <summary>
/// Decrypts a previously encrypted string.
/// </summary>
/// <param name="inputText">The encrypted string to decrypt.</param>
/// <returns>A decrypted string.</returns>
public static string Decrypt(string inputText)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    byte[] encryptedData = Convert.FromBase64String(inputText);
    PasswordDeriveBytes secretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);

    using (ICryptoTransform decryptor = rijndaelCipher.CreateDecryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
    {
        using (MemoryStream memoryStream = new MemoryStream(encryptedData))
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
            {
                byte[] plainText = new byte[encryptedData.Length];
                int decryptedCount = cryptoStream.Read(plainText, 0, plainText.Length);
                return Encoding.Unicode.GetString(plainText, 0, decryptedCount);
            }
        }
    }
}

#endregion

}


Here's the code of my button function:

protected void Button1_Click(object sender, EventArgs e)
{
   string sONbr = sONbrTextBox.Text;
   string SOLine = sOLineTextBox.Text;
   string SerialNbr = serialNbrTextBox.Text;
   string PalletID = palletIDTextBox.Text;
   string PackingListNo = PackingListNoTextBox.Text;
   string StatusCode = statusCodeComboBox.Text;
   string PackType = packTypeComboBox.Text;
   string CrUserID = Request.QueryString["LogInUser"].ToString();

   if (string.IsNullOrWhiteSpace(sONbr) || string.IsNullOrWhiteSpace(SOLine) || string.IsNullOrWhiteSpace(PalletID) || string.IsNullOrWhiteSpace(PackingListNo) || string.IsNullOrWhiteSpace(StatusCode) || string.IsNullOrWhiteSpace(PackType))
   {
      status_lbl.Text = "Please fill in all the information.";
      status_lbl.Visible = true;
      GridView1.Visible = false;
      return;
   }
   else if (string.IsNullOrWhiteSpace(CrUserID))
   {
      status_lbl.Text = "Please login your account!";
      status_lbl.Visible = true;
      ClientScript.RegisterStartupScript(Page.GetType(), "validation", "<script language='javascript'>alert('Please login your account!')</script>");
      Response.Redirect("Login Page.aspx");
      GridView1.Visible = false;
      return;
   }
   else
   {
      SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["constr_TESTINGSystem"].ToString());
      conn.Open();

      SqlCommand comm = conn.CreateCommand();
      comm.CommandType = CommandType.StoredProcedure;
      comm.CommandText = "usp_TagNumberUpdate";

      comm.Parameters.AddWithValue("@sONbr", sONbr);
      comm.Parameters.AddWithValue("@SOLine", SOLine);
      comm.Parameters.AddWithValue("@SerialNbr", SerialNbr);
      comm.Parameters.AddWithValue("@PalletID", PalletID);
      comm.Parameters.AddWithValue("@PackingListNo", PackingListNo);
      comm.Parameters.AddWithValue("@StatusCode", StatusCode);
      comm.Parameters.AddWithValue("@PackType", PackType);
      comm.Parameters.AddWithValue("@CrUserID", CrUserID);

      SqlParameter ReturnVal = comm.Parameters.Add("@return", SqlDbType.NVarChar,200);
      ReturnVal.Direction = ParameterDirection.Output;

      comm.ExecuteNonQuery();

      string val = (string)ReturnVal.Value;

      conn.Close();
      status_lbl.Text = val;
      status_lbl.Visible = true;
      CheckBox1.Checked = false;
      serialNbrTextBox.ReadOnly = true;
      serialNbrTextBox.BackColor = System.Drawing.ColorTranslator.FromHtml("#A9A9A9");
      serialNbrTextBox.Text = "N/A";
      sONbrTextBox.Text = sOLineTextBox.Text = palletIDTextBox.Text = PackingListNoTextBox.Text = "";
      GridView1.Visible = false;
   }
}

protected void Button2_Click(object sender, EventArgs e)
{
   string sONbr = sONbrTextBox.Text;
   string SOLine = sOLineTextBox.Text;
   string SerialNbr = serialNbrTextBox.Text;

   if (string.IsNullOrWhiteSpace(sONbr) || string.IsNullOrWhiteSpace(SOLine) || string.IsNullOrWhiteSpace(SerialNbr))
   {
      status_lbl.Text = "Please fill in SO #, SO LINE & SERIAL NO to check record.";
      status_lbl.Visible = true;
      GridView1.Visible = false;
      return;
   }
   else
   {
      status_lbl.Text = "Inquiry Successful!";
      status_lbl.Visible = true;
      GridView1.Visible = true;
   }
}
Posted
Updated 24-Jun-18 20:50pm
v4
Comments
ZurdoDev 30-Dec-13 11:12am
   
Are you trying to encrypt the whole query string or individual values?
Alvan Khong 30-Dec-13 13:37pm
   
The whole query string.
ZurdoDev 30-Dec-13 14:24pm
   
I don't understand what you mean that after your button function the url reveals itself. I guess you mean you click the button and the url is briefly displayed? If so, I don't think you can get around that. It's a security feature of the browser to prevent spoofing.
Alvan Khong 31-Dec-13 0:11am
   
when i login my URL was something like this!

http://localhost:53815/Main.aspx?enc=aflHfXfh87xB29VhJx42zeYbAV/Ft6IHRA1TXHamETMeigA2Cwfiwh2gn4upy++7itBBICXzfxlq41PAkbs2Rw==

After i use my button function the URL become like this!

http://localhost:53815/Main.aspx?LogInUser=admin&Result=1
   
Put debuggers and check where exactly it is creating problems?
Alvan Khong 31-Dec-13 0:13am
   
I've already do a debuggers check it seems that after finish looping the button function until the end of the } then only the URL change!
Nafish khan 13-Jun-14 8:16am
   
I am using same code for URL encryption,Code is working fine for almost all the URLs but there is one URL which is having issue.
The issue is due to string query = ExtractQuery(context.Request.RawUrl); code.
HttpContext.Current.Request.RawUrl is not returning proper url.
for eg :
Actual URL-- http://abc.com/XIA/PX/Product/Product.aspx?ID=13&PID=15408&nID=18652&pageID=27624
URL Having Issue--/XIA/PX/Product/ProductOverview.aspx?enc=ON7YuUnmSi4FyCWsVcTQy4Al8g0g4gUbHiAo/lXe/HpebVBLQWEK6/IKP42TACTTnZkOTOjiFaY5rrm8bArbEnyxeIkAhYKu89Yfbtxb52g=&pageID=87654"
svkrajesh 17-Jan-17 3:58am
   
if u see in developer window, actual query string is visible and it just showing encrypted in address bar. how to make work in developer tools also
Adil Deveci 29-May-18 4:42am
   
this code only works when the http get
it does not work when the page is postback.
and it is not working when we use Server.Transfer.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900