2/12/2011

Query String Encryption using HTTP Module : ASP.NET Security

Most of times we tend to pass information between different web pages in the application with the help of query string. However query string offers direct visibility to the end user about the parameters your page might be expecting. If some one modifies your query string and pass the information to the page , it could become a potential security threat.

/technade.aspx/ID=123&Query=select

There are lot of ways you can normally encrypt your query string. But most of them don't help you in encrypting your query parameter. They only encrypt your values. However if someone tries with different algorithms, it could again lead to a security breach unless you did some very good exception handling.

/technade.aspx/ID=s1kokkkh1kjn&Query=kjoiujooijoi

If you encrypt your query string, everytime you want to access in your values, you have to decode it and access it. If you had already written some code, there is a great impact that you will have to adapt your code after the implementation. What if there is a way where you display in encrypted format to the user but for the code its still the same ?

What I mean is :

The user sees this

?Technade=VXzal017xHwKKPolDWQ

while your code sees

ID=123&Query=select and accesses it through Request.querystring["ID"]....

How to encrypt your query string in ASP.NET with the help of HTTP Module ?

Before we dive in, let me explain you what this HTTP module is !!

HTTP modules are one among the series of extensible objects that could be initiated by ASP.NET runtime to process a request. They are filters that can pre and post-process requests as they pass through the HTTP pipeline Many of the services provided in ASP.NET are exposed as HTTP modules esp the ones related to security.

So How do we use HTTP module for encrypting and decrypting query strings ?

Download the source code for the file here.

The source file in the above link contains the code for encryption and decryption of the query string.

How to use it ?

  • Include the file in your project and change the namespace accordingly.
  • Once you included the file in your project, please add the following tag to your Web.config in your section.

    <httpModules>
    <add name="EncryptDecryptModule" type=" Technade.Web.Core.Application.EncryptDecrypt"/> httpModules>
  • Make sure that you included correct type in the above line.
Thats it.. You are done . Now all the query string in your application will be automatically encrypted. Sometimes you may want to enable/disable query string encryption manually. The source code in the file does have the provision of enabling and disabiling query string encryption.

You will find the following line in the source code.

// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.

string encryptedQuery = Encrypt(query);

Remove the line and the query strings will not be automatically encrypted. Instead you will have to call everytime manually as below whenever you want .

string querystring = EncryptDecrypt.Encrypt( "ID=123&query=select" );

But the decryption is automatic as it always checks for the encryption key that is appended before the query string in the code. So if the encryption key exists ,it will decrypt or else it will let it remain as it is. The file has been documented to a good extent. So it should not be too difficult for you to understand how it works.

Love ASP.NET tips ? For more Subscribe here or click here to get updates via email

8 comments:

Works as designed but urls are exposed in asp:hyperlinks and asp:imagebutton etc.

I have changed the file as:

//namespace Technade.Web.Core.Application
//{
public class EncryptDecrypt : IHttpModule
{
---
---
---
}
//}

I have added the file in APP_CODE and had added the following line in web.config:




However this does not work.

Please help!

Did you use encrypt and decrypt function in your code ?

works for me! but this does not work when the postback event happens, do you have an idea on how to solve this??

my code works fine in local server but when deployed to the server it doesnt show the encrypted value..rather displays the actual value..how can i solve this problem

Could not load type ' Technade.Web.Core.Application.EncryptDecrypt'. (C:\Users\nk\CDSL\web.config line 73)
what i did mistake.

Could not load type ' Technade.Web.Core.Application.EncryptDecrypt'. (C:\Users\nk\CDSL\web.config line 73)
what i did mistake.
my web.config is




























































































Post a Comment