2

I am using MVC3, .NET4.5, C#, Razor.

I have reused some very useful code, off Codeproject, from Albin, to prevent URL tampering, by adding a hash. Works well in the main.

However....

I now discovered that I am getting 404 error:

The request filtering module is configured to deny a request that contains a double escape sequence.

This I understand to be due to the inclusion of "+" in the url, which in my case is within the hash ie:

http://myServer/Controller/Action/Ivz7P+b2ZPmatG6kZaY_IR0az1s=?mode=xxx

The code for generating the hash is:

//Converting the salt in to a byte array
byte[] saltValueBytes = System.Text.Encoding.ASCII.GetBytes(salt);
//Encrypt the salt bytes with the password

 Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(password, saltValueBytes,2);
 //get the key bytes from the above process

 byte[] secretKey = key.GetBytes(16);
 //generate the hash

 HMACSHA1 tokenHash = new HMACSHA1(secretKey);

 tokenHash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(stringToToken));
 //convert the hash to a base64string
 token = Convert.ToBase64String(tokenHash.Hash).Replace("/", "_");

It seems that I need a way of generating hashes without "+" or replacing the "+"s, but that would invalidate the hash.

Best approach would be to generate hashes without "+"s.

Thoughts.

EDIT1

It seems if I take the UrlToken out of the routing and therefore have it appended at the end of the URL ie:

http://myServer/Controller/Action?mode=xxx&urltoken=Ivz7P+b2ZPmatG6kZaY_IR0az1s=

It now works. Not sure why. Well the 404 goes away, but the URL tampering mechanism now fails all the time !! May not be related.

EDIT2

I have now got this working by altering the URL tampering code to extract the hash from the non route bit ie after "?". This all works fine, and as I understand it I have not opened any new vulnerabilities as I have kept the default ASP.NET settings.

EDIT3

See:

Hex Code Convertion

SamJolly
  • 6,347
  • 13
  • 59
  • 125
  • 1
    you need a url-friendly hash. check [this](http://stackoverflow.com/questions/1374753/passing-base64-encoded-strings-in-url) answer, it suggests to replace [+/=] chars with [-_~], which will work for path. Another approach would be not to use base-64 encode, and use raw hex-encoded sha value (of course, this will make url longer) – Alexander Jun 06 '14 at 11:46
  • ALexander, thanks for this. Interesting. What would the hex encoding code look like. My current Base64 convertion is "Convert.ToBase64String(tokenHash.Hash);" – SamJolly Jun 06 '14 at 13:46
  • Added HEX code as EDIT3 from generous online contribution. – SamJolly Jun 06 '14 at 13:54
  • 1
    In your case, simplest hex conversion would be HMACSHA1 s = ...; BitConverter.ToString(s.Hash).Replace("-", ""); – Alexander Jun 06 '14 at 14:06
  • Alexander, if you can put this as an answer then I can mark it up. I ended up with ?HexedHash as the answer with "correct" routes. Thanks. – SamJolly Jun 06 '14 at 16:06

2 Answers2

2

IIS7 request filter rejects URLs containing + characters. You can disable it by adding this to your web.config:

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="true" />
    </security>
</system.webServer>

or you can encode '+' to '%20' by: System.Web.HttpUtility.UrlPathEncode(string str)

Mohsen Esmailpour
  • 11,224
  • 3
  • 45
  • 66
  • I think the problem with this is that you then open up other vulnerabilities such as code injection attacks. See EDIT2 for my final answer – SamJolly Jun 06 '14 at 11:31
  • Not sure if you can replace "+" with "%20" as this would invalidate the hash ie "+" is different to "%20" as far as the hash verification is concerned. – SamJolly Jun 06 '14 at 11:34
  • 1
    Decode the url with `System.Web.HttpUtility.UrlDecode` then use it. – Mohsen Esmailpour Jun 06 '14 at 11:43
1

I hope I don't get any down votes here, but I had issues while sending this kind of special data to some POS Terminals (Verifone, Hypercom, and Ingenico).

The way to fix it, was escaping the URL (or your hash/anti tampering stuff) using "HttpServerUtility.UrlEncode" and to read it, ".URLDecode". This encoded special characters and made them easily transportable.

So you may need to generate your links using this function.

http://msdn.microsoft.com/en-us/library/zttxte6w(v=vs.110).aspx

Hope it helps you

coloboxp
  • 494
  • 8
  • 15