In most of the web sites we can find values in address bar when redirecting from one page to another like
www.abcabc.com/files.aspx?fileid=1
which will give the details of the file which is having identity 1 when some one change this number to 2 or 3 it will give the result of the file with id 2 or 3 which ever entered.
Why i am writing this article is when i want to restrict this one for one of my project i was not able to find even a tip on this for a long time after a while a had solved this problem forums.
Here at the end of this article i am attaching a sample web application for encrypting Query string. In that i had used HttpModule to encrypt Query string.
When we inherit the interface IHttpModule every request to the website will come to this class.
public class QueryStringModule : IHttpModule
And in the following line i am getting the current request and then url of the request to replace the query string wit encrypted query string.
HttpContext context = HttpContext.Current;
if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
{
string query = ExtractQuery(context.Request.RawUrl);
string path = GetVirtualPath();
if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
{
// Decrypts the query string and rewrites the path.
string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
string decryptedQuery = ReWriteDecrypt(rawQuery);
context.RewritePath(path, string.Empty, decryptedQuery);
}
else if (context.Request.HttpMethod == "GET")
{
// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.
string encryptedQuery = Encrypt(query);
context.Response.Redirect(path + encryptedQuery, false);
}
}
///
/// Parses the current URL and extracts the virtual path without query string.
///
/// The virtual path of the current URL.
private static string GetVirtualPath()
{
string path = HttpContext.Current.Request.RawUrl;
path = path.Substring(0, path.IndexOf("?"));
path = path.Substring(path.LastIndexOf("/") + 1);
return path;
}
///
/// Parses a URL and returns the query string.
///
/// The query string without the question mark.
private static string ExtractQuery(string url)
{
int index = url.IndexOf("?") + 1;
return url.Substring(index);
}
Methods which will do encryption and decryption
///
/// The salt value used to strengthen the encryption.
///
private readonly static byte[] SALT = Encoding.ASCII.GetBytes(ENCRYPTION_KEY.Length.ToString());
///
/// Encrypts any string using the Rijndael algorithm.
///
/// A Base64 encrypted string.
public static string Encrypt(string inputText)
{
RijndaelManaged rijndaelCipher = new RijndaelManaged();
byte[] plainText = Encoding.Unicode.GetBytes(inputText);
PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);
using (ICryptoTransform encryptor = rijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16)))
{
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
{
cryptoStream.Write(plainText, 0, plainText.Length);
cryptoStream.FlushFinalBlock();
return "?" + PARAMETER_NAME + Convert.ToBase64String(memoryStream.ToArray());
}
}
}
}
///
/// Decrypts a previously encrypted string.
///
/// A decrypted string.
public static System.Collections.Specialized.NameValueCollection Decrypt(string inputText)
{
RijndaelManaged rijndaelCipher = new RijndaelManaged();
byte[] encryptedData = Convert.FromBase64String(inputText);
PasswordDeriveBytes secretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);
using (ICryptoTransform decryptor = rijndaelCipher.CreateDecryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
{
using (MemoryStream memoryStream = new MemoryStream(encryptedData))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
{
byte[] plainText = new byte[encryptedData.Length];
int decryptedCount = cryptoStream.Read(plainText, 0, plainText.Length);
string decryptedquerystring = Encoding.Unicode.GetString(plainText, 0, decryptedCount);
string[] QueryStringparameters = decryptedquerystring.Split(new char[] { '&' });
System.Collections.Specialized.NameValueCollection InputParams = new System.Collections.Specialized.NameValueCollection();
for (int i = 0; i < QueryStringparameters.Length; i++)
{
string str = QueryStringparameters[i].Substring(0, QueryStringparameters[i].IndexOf("="));
string val = QueryStringparameters[i].Substring(QueryStringparameters[i].IndexOf("=") + 1);
InputParams.Add(str, val);
}
return InputParams;
}
}
}
}
///
/// Decrypts a previously encrypted string.
///
/// A decrypted string.
public static string ReWriteDecrypt(string inputText)
{
RijndaelManaged rijndaelCipher = new RijndaelManaged();
byte[] encryptedData = Convert.FromBase64String(inputText);
PasswordDeriveBytes secretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);
using (ICryptoTransform decryptor = rijndaelCipher.CreateDecryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
{
using (MemoryStream memoryStream = new MemoryStream(encryptedData))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
{
byte[] plainText = new byte[encryptedData.Length];
int decryptedCount = cryptoStream.Read(plainText, 0, plainText.Length);
return Encoding.Unicode.GetString(plainText, 0, decryptedCount);
}
}
}
}
//add this to your httpmodule block in system.web block in your web.config file
< add type = "QueryStringModule" name = "QueryStringModule" >
This will help in role based user access application where one user can not access other users files or data.
These encryption methods can also be used for other sensitive data in the application.
 Attachments
Encrypt Query String (29574-24610-EncryptQueryStrings.rar)
|
No responses found. Be the first to respond and make money from revenue sharing program.
|