Scribd
Upload
109 views3 pages

En Crypt Ing Query Strings With

This document discusses encrypting query strings in .NET to securely pass user data between web pages. It describes encrypting values in the query string using a symmetric encryption key to prevent clear text user IDs and other sensitive data from being visible in URLs. The code examples show encrypting a query string value on one page, passing the encrypted value in the URL, then decrypting it on the next page to retrieve the original data value securely.

Uploaded by

khundalini
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
109 views3 pages

En Crypt Ing Query Strings With

This document discusses encrypting query strings in .NET to securely pass user data between web pages. It describes encrypting values in the query string using a symmetric encryption key to prevent clear text user IDs and other sensitive data from being visible in URLs. The code examples show encrypting a query string value on one page, passing the encrypted value in the URL, then decrypting it on the next page to retrieve the original data value securely.

Uploaded by

khundalini
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Encrypting QueryStrings with .

NET

Once upon a time in the tech world, obscurity was security - this being most true in the early years
of the industry, when there were gaping holes in privacy policies and confidential client information
was bandied about from site to site without a care as to who actually could read the information.

With the new Cryptography classes in .NET, there's absolutely no excuse for not hiding even the
most innocuous user data. If you ever need to 'piggy-back' information from one web page to
another, whether it is within a POST or a GET parameter, you're passing clear information that
anyone can sniff - and that's a bad thing.

If you're not going to use a session variable for storing end user information, you're most likely
going to keep some sort of State by passing the information to a cookie or push it around with
GET/POST parameters. If you're passing around any sort of ID or user information like their name,
it's better to err on the side of caution and encrypt the information.

GET Vs. POST

A POST parameter keeps the information out of the URL, but it can still be sniffed quite easily as it
passes in clear text across your network or the Internet. Using POST will keep the mere curious at
bay, as the information is not contained in the URL - but this will not stop someone determined to
snag out your data.

A QueryString parameter passes information within the site's URL. Why would you even use a
QueryString? Well, maybe you need to let your user bookmark a particular page, or maybe you
have to refer directly to a page in a URL via a link - you can't do either if you're using POST. A
QueryString puts data in the URL for the entire world to see, so if you don't know if the end user is
malicious, I'd think hard about using a QueryString for anything but site-related information.

Be smart and encrypt any and all data you're moving around from page to page, especially if that
information could be used maliciously. You may trust your users, but you still need that extra level
of security that clear text GET/POST data doesn't provide.

Imagine this scenario - you've been passing the customer's ID in the database around in a
QueryString, in a URL that looks like this:

http://yoursite.com?cust_id=29

You know what a user is going to do? Switch that 29 to a 30 or 12 or some other number, and if
you're not checking for invalid requests, you'll be dishing up some other customer's data.

Enter Encryption

What I was looking for was a quick way to encrypt and decrypt parts of a QueryString - it had to be
on the fly, quick and dirty.

I chose Base64 because it wouldn't throw bizarre characters in my QueryString that I couldn't pass
around… Little did I know that I'd hit a snag while passing around my encrypted QueryString -
Apparently, the Request.QueryString object interprets the '+' sign as a space! So, with a quick
Replace function slapped on my decrypt string, no harm, no foul.

Symmetric Key
The whole trick to this working is that the QueryString is encrypted and decrypted with the same
private key. This is the secret key - if anyone gets a hold of your key, they can decrypt the data
themselves, so keep it a secret!

We're going to use a hard-to-crack 8 byte key, !#$a54?3, to keep parts of our QueryString secret.

Let's Walk through the C# portion of the code:

Notice our two functions that abstract the dirty work that our Encryption64 class. The first,
encryptQueryString, is used to encrypt the value of a QueryString. The second,
decryptQueryString, is used to decrypt the value of an encrypted QueryString.

public string encryptQueryString(string strQueryString) {


ExtractAndSerialize.Encryption64 oES =
new ExtractAndSerialize.Encryption64();
return oES.Encrypt(strQueryString,"!#$a54?3");
}

public string decryptQueryString(string strQueryString) {


ExtractAndSerialize.Encryption64 oES =
new ExtractAndSerialize.Encryption64();
return oES.Decrypt(strQueryString,"!#$a54?3");
}

If we wanted to encrypt our QueryString on our first page, we could do something like this:
string strValues = "search term";
string strURL = "http://yoursite.com?search="
+ encryptQueryString(strValues);
Response.Redirect(strURL);

Inside our code-behind in our second page, we pass the contents our QueryString to a variable
named strScramble. After that, we replace the '+' signs that our wonderful Request.QueryString
has replaced with a space. We pass that string into our function, decryptQueryString, and retrieve
the decrypted string.
string strScramble = Request.QueryString["search"];
string strdeCrypt = decryptQueryString(
strScramble.Replace(" ", "+"));

Now we've decrypted the value of the QueryString, 'search', and we can do whatever we want with
it. The end user is going to see a URL that looks like:
http://yoursite.com?search=da00992Lo39+343dw

They'll never be able guess what's going on in your QueryString, and if they try to fool around with
it, there's no way to crack the code without knowing the Symmetric key.

VB.NET
Imports System
Imports System.IO
Imports System.Xml
Imports System.Text
Imports System.Security.Cryptography

Public Class Encryption64


Private key() As Byte = {}
Private IV() As Byte = {&H12, &H34, &H56, &H78, &H90, &HAB, &HCD, &HEF}

Public Function Decrypt(ByVal stringToDecrypt As String, _


ByVal sEncryptionKey As String) As String
Dim inputByteArray(stringToDecrypt.Length) As Byte
Try
key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8))
Dim des As New DESCryptoServiceProvider()
inputByteArray = Convert.FromBase64String(stringToDecrypt)
Dim ms As New MemoryStream()
Dim cs As New CryptoStream(ms, des.CreateDecryptor(key, IV), _
CryptoStreamMode.Write)
cs.Write(inputByteArray, 0, inputByteArray.Length)
cs.FlushFinalBlock()
Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8
Return encoding.GetString(ms.ToArray())
Catch e As Exception
Return e.Message
End Try
End Function

Public Function Encrypt(ByVal stringToEncrypt As String, _


ByVal SEncryptionKey As String) As String
Try
key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8))
Dim des As New DESCryptoServiceProvider()
Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes( _
stringToEncrypt)
Dim ms As New MemoryStream()
Dim cs As New CryptoStream(ms, des.CreateEncryptor(key, IV), _
CryptoStreamMode.Write)
cs.Write(inputByteArray, 0, inputByteArray.Length)
cs.FlushFinalBlock()
Return Convert.ToBase64String(ms.ToArray())
Catch e As Exception
Return e.Message
End Try
End Function

End Class
Generated using PrettyCode.Encoder

You might also like