Uri Query Crypt

Archived content, date: 11. march 2004


Encrypt your URL query's !

Prevent intruders to manipulate with query string of your URL and don't give them any chance to mess with your data using SQL injection. While there are many more SQL injection stopping techniques this one doesn't require ANY change in your existing code, and completely hides query's content.
All that you have to do is declare PUriQueryCrypt HttpModule in web.config of your web application. There are examples and instructions how to do this in PUriQueryCrypt archive.

I find that IHttpModule interface is a very interesting tool in ASP.NET development, it gives you power to do some work in various stages of page request handling, and what's more important FOR ALL requests of your web application.
I will demonstrate this on an example, and the example are query's on my humble page

When I created HttpHyperlink descendant control that can track the download count, I didn't think much about security, since, frankly, this site is just a hobby. So until recently my hyperlink controls were creating URL's for download with information of the "future" count that will be set if someone clicks on the link and downloads the file behind the link. It would be kids play to mess with such a lame solution, some one would just have to copy the link onto the clipboard, edit the count in the URL, and my site would have an incorrect download count, which, in this example, isn’t a big deal. Here is an example of the URL:

http://www.antoniob.com/default.aspx?TCountHyperLinkVarName=Link_DBImageColumn&TCountHyperLinkDownloadName=download/PDBImageColumn.zip&TCountHyperLinkCount=3

The last parameter is TCountHyperLinkCount=3, which you can change and post a modified request to the server and as a result get the PDbImageColumn.zip file but also set the download count to an arbitrary number.

I could pass this information differently but I find "fat URLs" very handy, and I wanted something that I can reuse and something that wouldn't require me to modify the existing code since I am a very lazy programmer :)

So the idea is encrypt the query information by implementing the IHttpModule and filtering all produced web content, then in filter encrypt all URLs that have my application root and when request from such link came back the HttpModule will intercept it and decrypt it's query.
This should work (I am writing this text before actual coding) and what’s even better I wont have to change anything in the existing code. I just have to declare my new HttpModule implementation in the web.config of the application in witch I want the encrypted fat URLs.

Here is my idea presented as use case

As you can see, the user only sees encrypted URL's, and the decryption is handled on the safe(r) server side.

This code is not properly tested on "real world" sites, only on my page that really doesn't have much traffic, at least not yet ;)

I am using this component on my site, it uses TRijndael as a encrypting class, specifically RijndaelManaged implementation from .NET framework, this is symmetric encryption algorithm, Rijndael was selected as the successor to DES and became AES, pretty big gun for my small site :))
You can learn more about AES from this link in Wikipedia : Advanced Encryption Standard

You can download PUriQueryCrypt.dll and source code here.