Geek Answers Handbook

Why encrypt query strings in ASP.NET?

I am working on a web application written in C # / ASP.NET. The original creators of this application chose to use encrypted query strings and Viewstate to control the "security" and "state" of the application.

Having gone from the world of GET / POST to this, I don’t have a good basis for understanding why people will face the problem of encrypting query strings, while using POST for sensitive data (along with SSL) a similar level of security.

My question is: what are the advantages and disadvantages of using encrypted query strings in ASP.NET? Is there a documented “best practice” for this?

Change People tend to focus on Viewstate in this matter. No. Viewstate was only mentioned to give you more complete information on how to manage the "state", as it is related to URLs. I never said that Viewstate was encrypted. There are two problems: 1) using Viewstate and 2) using encrypted query strings. This question focuses on the latter. Hope this helps clarify the point.

+6
c #
source share
11 answers

The reason you can do something like this is to prevent the URL from being tampered with in order to access data other than yours. For example, if you have a URL:

 http://foo.com/user.aspx?user_id=123

it would not be difficult for me (or anyone) to change this to:

 http://foo.com/user.aspx?user_id=124

If your data access strategy is completely dependent on what is in the request, this may allow unauthorized access to the data.

This approach is right for this purpose, but a more reliable way to get an active authorization check in the application there and never rely solely on the URL for authentication and / or authorization purposes.

Please note that this has nothing to do with SSL - it provides privacy between the browser and the server, but you can be in a completely secure connection and still change the URL.

+7
source share

Well, maybe this allows you to distribute the URL of the page, but the best approach here might be something related to guid as an opaque identifier for the permalink ... maybe this is useful for scripting?

If this is between pages in one application, then POST over SSL will really make more sense. Can you ask the original designers? Read the design documents?

+4
source share

They can be useful in cases such as user activation, when you transfer the credentials of the plaintext account from the browser directly (although this is easily resolved using the search token). This is useful when SSL is not available for POST requests, and that I can only think about how honest. It can often be used as a coercive requirement from a client to stop an accidental data leak, but I think it depends on the paranoia of your application.

+2
source share

The reason querystrings get encrypted is because it offers fake security. This allows business people to feel that he is offering security when everything he truly offers is an obstacle that is not security.

At my previous work, we were forced to use them, and I made it clear that it was completely pointless, especially when we had a static key and a static initialization vector, but still people thought that he was offering something.

The reason it is very bad to use encrypted query strings allows people not to implement real security. In cases where other users have indicated that you have www.mysite.com/page?userid=25, they can easily change 25 to 100 or 1, etc.

In my opinion, this is good, users should do it. This is up to the website to ensure that they do not change the identifier and gain access to unauthorized materials. It is too easy not to create real security if it seems that you are protected.

+2
source share

In addition to all the answers above, you can hide URL data from server logs.

+2
source share

IMO, you are right to be embarrassed in this practice, because it is simply not a good idea. There is limited the amount of data that you can (depending on the browser), and should put in a QueryString.

+1
source share

If encryption is performed at a lower level in the application or if it is a framework. This may be to ensure that content is protected, regardless of its implementation. It is still protected, even if the developer decides not to use SSL POST.

+1
source share

As for encrypting the query string, I can really come up with a number of reasons for encrypting it. Probably the classic case would be where you created a grid filled with unique indexes of people's records. On each line, you may want to have a link to a page that allows you to edit the entry. You can simply provide each link with an argument such as "ID = X" to load the corresponding entry.

 John | Sample | <a href="EditPage.aspx?ID=1">Edit Me!</a> Jane | Sample | <a href="EditPage.aspx?ID=2">Edit Me!</a>

Now this is not a problem if all employees have access to all personnel. And access to your page is encrypted by the authentication process. And you use SSL (SSL is consistent and all communication is encrypted before any URL arguments are sent). However, consider the case where you have restrictions by which users can see which entries. Thus, Chicago employees can only see people assigned to Chicago, New York employees can only see New York staff, etc.

Now you have a problem: someone may compromise your location restriction by simply retyping the URL with a different user ID. One way to do this is to encrypt the request arguments. However, there are a few twists and turns. First, simple encryption will not work, because the user can simply try a different encrypted value. You need paired pairs or an algorithm that has led to an extremely sparse mapping between identifiers and URL arguments. The key solution (which I used and recommend) is simple: just pass in two encrypted complex values ​​that work together to produce a valid value.

Please note that you cannot get around this through session storage because you do not know what value the user will choose ahead of time. Similarly, Post will be very awkward when dealing with such a simple interface.

In relation to your situation, the above shows a specific situation where it would be useful. Whether it is applicable in your case, you decide. However, you should consider whether encryption uses only one valid value for another.

Another note: viewstate is not encrypted by default. It is just encoded via Base64 . A hash has been added so you can see if it has been changed.

Regarding the security of your web application, the only reliable way to ensure that the data you receive comes from your user and that the data is not compromised during the transfer is SSL.

+1
source share

I see that request encryption is performed as some utility ... Suppose you want the user to not change? recordID = 1 on? recordID = 2

I know this should be protected on pageload, but we all know that not everyone does it

+1
source share

It seems like a cheap and fun way to stop users from messing with GET parameters. I know that I play with the GET parameters to get what I want.

However, it seems strange that GET requests sent from Javascript will also need to encode URLs. This makes it difficult to create an interactive site on AJAX-y. At this point, it seems very harmful to have a system in place.

If I had a vote, I would vote

  • rewrite URL parsing mechanisms so that they accept both encrypted and unencrypted strings,
  • mark URL encryption function as [Obsolete]
  • gradually remove the encryption system.
+1
source share

As for ViewState, it is already encrypted and verified in every possible way using ASP.NET runtime.

Speaking of requrest URLs (or query strings) - personally, I see no reason to encrypt them, because there are no reasonable excuses for this.

0
source share

More articles:


All Articles