1

We have an application which is destined for https so the data being transmitted is protected (or should I say as protected as need be) I would like to know about protecting/hiding (or similar) queryString values. Its a jQuery/Javascript front end which communicates using a mixture of GET and POST with the database via classic ASP web services. The web services sends JSON back to the client.

I realize the front end code could be changed so everything is passed using POST however the application is finished and tested ready to deploy. There are some key values that are being passed in the querystring which should not have been. Is it possible to make it so the querystring values can not be inspected or sniffed. The URL and querystring together will provide a direct link to the raw JSON. We would like to prevent this. Perhaps there is some jQuery/AJAX feature which can be explored. Perhaps some server IIS level tactic? I guess the sniffing occur before the request gets the the server where the webservice sites therefore some server/IIS level tactic is not an option.

Any ideas/advice would be great, thank you.

Mat41
  • 1,287
  • 4
  • 15
  • 29
  • 4
    Query string values in the url cannot be hidden. They are literally just a url. You could kind of hide it just using posts but like you said you could just use browser dev tool to get the data. Same really with doing sessions variables. Id values should never be something that if changed, could cause an issue. If an Id is passed in then the back end should check if the current user can see this data. If not then 404 the page or redirect. This is the correct and easiest way to fix your problem. – mattfetz Feb 02 '15 at 23:47
  • The only way to "hide" querystring values would be either to do an ajax type request, or iframes / frames where the url remains semi constant. Both will give you pretty urls, but at the cost of bookmarks breaking and anyone who has ever opened up developer tools being able to see exactly what is going on. Bottom line, if its sensative information dont place it in querystring variables but rather in a session (db or cookie based). – Frank Feb 06 '15 at 05:22

2 Answers2

2

You can use HTTP headers to send data to the server that is slightly less visible, but can still be detected using more advanced developer tools and loggers. For example, this answer descibes using jQuery/Javascript (as you've asked) to send data without using QueryString.

You can't really prevent the client from being able to trace these details though.

The solution I personally suggest to you is to look into session state. By scoping a valid data response to a certain session state, and returning null when the state is invalid or expired, you can limit access to the data. This could be after just 1 time its been retrieved. This strategy would involve a generation of a token or code that is passed out from your server at an earlier stage, and used when asking for the data in question.

Community
  • 1
  • 1
ZeroGravityChimp
  • 61
  • 3
  • Thank you. The linked you posted is a good one for another situation but isnt really applicable to myn.......I dont think. Correct me if wrong. Even if preflight custom headers were used in this way the request which has been identified as genuine would still be sending the querystring values therefore I am i the same situation. I an feeling the best things to do is to alter the code to eliminate all QueryStrings (which should have been done in the first place). Thanks again! – Mat41 Feb 03 '15 at 02:04
  • @Mat41 Like Zero said if you establish a "session" earlier in the workflow the fact your sending a querystring in the URL will not matter unless you have a valid session. Classic ASP has a `Session` object built in that allows you to access data across the life of a webpage, it utilises session cookies to accomplish this. – user692942 Feb 03 '15 at 09:33
  • @Lankymart thank you for your input. I am aware of the session object and its benefits but this is server side. The original question of not allowing the querystring values to be seem/sniffed or inspected in any way I see as a seperate topic. What ever happens in the ASP session or weather the request has been validated sending pre flight headers, the actual Ajax request still has the be sent, therefore is gettable. After the great advice here and some research I do not believe querystring values can be effetivley hidden. What ever is done prior the eventual request is visible – Mat41 Feb 03 '15 at 23:25
0

Another alternative is to either use SSL or encrypt your data and drop it into a posted control such as a text input box. Microsoft adopted a similar process for their VIEWSTATE within ASP.NET.

Paul
  • 4,160
  • 3
  • 30
  • 56
  • thank you for your input. SSL is going to be used, this only encrypts the data it does not do anything to the URL therefore the query string values. – Mat41 Feb 03 '15 at 23:32
  • cntd.. Manually encrypting the querystring values is an option separate to this I realize. As I said in the original post, the code is been through UAT and is signed off ready to go-live. I was looking for an ideas which did not required code changes (Or very little change that would not demand official testing). It would appear this is not possible. The best way to avoid information being passed as querystrings is to avoid them. All the data should have been passed ising JQuery's .data in a POST from the beginning. Lesson learnt (one that the team should have known....) – Mat41 Feb 03 '15 at 23:32