0

  • I wrote a module to reset your password using RSA keys.

  • The code will send an email to the user with a link to reset his
    password.

  • The user then will click on the link, that will send him back to the MVC web site.

  • The link is composed of 3 parts: URL / ID / Public RSA Key

  • I am using MVC with routes

Issue 1: RSA Keys have slashes "/", therefore I had to URL Encode they key.

Issue 2: When the Key is encoded and the user clicks on it, MVC gives me the following error

The request filtering module is configured to deny a request that contains a double escape sequence

Does anyone know how to deal with RSA keys inside MVC using routes?

Of course without opening the door to HTML injection......

Internet Engineer
  • 2,514
  • 8
  • 41
  • 54
  • `` however this does expose security vulnerabilities to your application. see http://stackoverflow.com/a/7742208/426894 – asawyer Aug 15 '13 at 12:33
  • That will open the door for HTML Injection.... – Internet Engineer Aug 15 '13 at 12:34
  • You might want to take a look at http://stackoverflow.com/questions/7739233/double-escape-sequence-inside-a-url-the-request-filtering-module-is-configured. Also, does "MVC" mean something different in ASP.net? I only know of it in the meaning of the Model-View-Controller design pattern, which can't exactly do any error-throwing of its own. – JAB Aug 15 '13 at 12:34
  • @JAB "MVC" is a generic reference to ASP.net MVC Framework. Many people don't actually realize the framework is named after a design pattern, and use the shorthand. – Claies Aug 15 '13 at 12:38

2 Answers2

2

I would recommend you passing this information as query string parameters. Scott Hanselman explains in details in this blog post.

Quote from his conclusion:

After ALL this effort to get crazy stuff in the Request Path, it's worth mentioning that simply keeping the values as a part of the Query String (remember WAY back at the beginning of this post?) is easier, cleaner, more flexible, and more secure.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
0

You can enable that feature with the following code in the web.config. Please note, however, this may be a security risk, as it allows someone to append javascript double escaped elements to a page url, as many others have commented.

<system.webserver>
    <modules runallmanagedmodulesforallrequests="true">
        <security>
            <requestfiltering allowdoubleescaping="true">
            </requestfiltering>
        </security>
    </modules>
</system.webserver>

your better option by far is to have your link go to a form which asks for the RSA to be pasted in and submitted back. A small bit more work for your end users, but drastically more secure.

Claies
  • 22,124
  • 4
  • 53
  • 77