Passing Parameters to a QueryString – The right way to do it, Encryption
Ok, so the other day I was browsing some asp.Net Forums, answering question when I came across this little diamond. The question was on simply passing parameters to a querystring and this is how it was answered.
Q: How do I pass the UserId and Password to my login.aspx page?
A: Have a Hyperlink control pointing to Login.aspx and append the Text of each textbox to the querystring as parameters, see below
dim myPara as string= "?userid=" & txtUserName.text & _ "&password=" & txtPassword.text lnkLogin.navigateUrl = "login.aspx" & myPara
How to kill me
I think I had a mini heart attack when I read this. This! This my friends is how people get hurt. Lets read it together and dissect.
- First of all, this code is not validating the parameters at all before sending them to the login.aspx querystring, what would happen if either textbox was empty?
- There’s no validation on the data types, what would happen if I entered a bunch of 5′s for both answer, nothing catastrophic but if your expecting a string response, you should check for string before sending it to your QueryString.
- Now, what happens if I insert malicious code here instead of an actual username? I won’t give an example but assuming this parameter was going to go to an SQL database, this is how injection occurs.
- Lastly, the user’s password is sent to another page, in open text, not hidden at all.
How do I fix this?
In most cases, my answer would immediately be, just use Routing (http://everymanprogrammer.com/index.php/asp-net-4-0-routing-a-simple-tutorial-that-works/), its smarter, cleaner and Search Engines dig it. Ok, we can’t always use Routing so let’s figure another way of doing this.
easiest smartest thing to do here would be to Encrypt the data received from the textboxes before sending it to the Login.aspx querystring and decrypt it before sending it to whatever Authentication mechanism you’re using. I got this code off a forum, maybe 6months to a year ago and I truly appreciate it, if you recognize it, please let me know and I’ll give the author credit.
Ok, so essential the code is broken into 3 parts. In my example I’ve place the below code into a helper.vb Class file.
Const passphrase As String = "thisisaspecialkeyusedtohashyourcontent_changemeandmakemeunique"
Essentially this is a secret code used to Hash your content, by using a code like this, it ensures that your Hash Table is unique from other users using the same code. Smart huh?
Now, we have 2 complex but smart functions that both Encrypt the data to send and Decrypt it for receipt.
*Edit – Thanks to David Harvey for pointing out I missed the Imports line*
Public Shared Function EncryptData(Message As String) As String Dim Results As Byte() Dim UTF8 As New System.Text.UTF8Encoding() Dim HashProvider As New MD5CryptoServiceProvider() Dim TDESKey As Byte() = HashProvider.ComputeHash(UTF8.GetBytes(passphrase)) Dim TDESAlgorithm As New TripleDESCryptoServiceProvider() TDESAlgorithm.Key = TDESKey TDESAlgorithm.Mode = CipherMode.ECB TDESAlgorithm.Padding = PaddingMode.PKCS7 Dim DataToEncrypt As Byte() = UTF8.GetBytes(Message) Try Dim Encryptor As ICryptoTransform = TDESAlgorithm.CreateEncryptor() Results = Encryptor.TransformFinalBlock(DataToEncrypt, 0, DataToEncrypt.Length) Finally TDESAlgorithm.Clear() HashProvider.Clear() End Try Return Convert.ToBase64String(Results) End Function Public Shared Function DecryptString(Message As String) As String Dim Results As Byte() Dim UTF8 As New System.Text.UTF8Encoding() Dim HashProvider As New MD5CryptoServiceProvider() Dim TDESKey As Byte() = HashProvider.ComputeHash(UTF8.GetBytes(passphrase)) Dim TDESAlgorithm As New TripleDESCryptoServiceProvider() TDESAlgorithm.Key = TDESKey TDESAlgorithm.Mode = CipherMode.ECB TDESAlgorithm.Padding = PaddingMode.PKCS7 Dim DataToDecrypt As Byte() = Convert.FromBase64String(Message) Try Dim Decryptor As ICryptoTransform = TDESAlgorithm.CreateDecryptor() Results = Decryptor.TransformFinalBlock(DataToDecrypt, 0, DataToDecrypt.Length) Finally TDESAlgorithm.Clear() HashProvider.Clear() End Try Return UTF8.GetString(Results) End Function
I’m not even going to try and explain everything that’s going on here, instead, let’s just add the final 2 pieces of the puzzle, in our default.aspx page we add our controls for a login, and in our default.vb
Private Sub btnSubmit_Click(sender As Object, e As System.EventArgs) Handles btnSubmit.Click Response.Redirect("~/login.aspx?username=" & EncryptData(txtUsername.Text) & "&password=" & EncryptData(txtPassword.Text)) End Sub
in our login.vb
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load Dim username = DecryptString(Request.QueryString(0)) Dim password = DecryptString(Request.QueryString(1)) Label1.Text = "Your username is " & username & " and your password is " & password End Sub
Now let’s run this baby. Enter some text in each textbox and submit, now, pay special attention to the querystring.
Now that’s sexy!
Ok, maybe not, but it’s smart, and smart is sexy, right?
Wow, tough crowd.
This was just a small example of how 15lines of code and 2 functions can make or break your website. At this point, there should still be additional checking to occur before the encryption, like Validation Controls on each textbox but you get the picture. This is a small price to pay for security and your users will appreciate the care your are taking with the information they are storing on your website.
Visit my Sponsors
- Using Delegate Methods to "Broadcast"... on Using Delegate Methods to “Broadcast” data to your Child Controls
- AutoComplete Dropdown Made Easy - A Beginner's Tutorial - The Everyman Programmer The Everyman Programmer on Using the Ajaxtoolkit Watermark Extender
- Using the Ajax Modal Popup as a Login Control - A Beginner`s Guide - The Everyman Programmer The Everyman Programmer on Using the Ajax Modal Popup as a Login Control – A Beginner`s Guide – Part 2
- Using the Ajax Modal Popup as a Login Control – A Beginner`s Guide - Part 2 - The Everyman Programmer The Everyman Programmer on Passing Parameters to a QueryString – The right way to do it, Encryption
- Using the Ajax Modal Popup as a Login Control – A Beginner`s Guide - Part 2 - The Everyman Programmer The Everyman Programmer on Re-Usable Database Connection Class – A Beginner’s Tutorial Part 1