0

Let's suppose a user enters sensitive data (like SSN, etc) in a HTML input (textbox) on a page in a MVC web app.

What would be the way to secure that piece of data before sending it (either thru form-post, URL query string, etc). Does ASP .NET MVC provides a mechanism to do that?

P.S. I'd like to know how to do it with MVC, not HTTPS or something else based on infrastructure/transport/etc

Ahmed Ashour
  • 5,179
  • 10
  • 35
  • 56
Rick
  • 13
  • 2
  • 1
    ASP.NET is a back-end technology - it won't help you transfer data securely from a front-end website. If you don't want to use HTTPS, which would be the better option, you'll have to look at something like encrypting in javascript. –  Mar 17 '17 at 23:27
  • I'm very clear in my question, and I don't know why MVC does – Rick Mar 18 '17 at 00:00
  • MVC is just an extension of ASP.NET - it's still running on the server, not the browser. Other than HTTPS, javascript is your only option for encrypting on the web page itself. –  Mar 18 '17 at 00:07
  • I'm asking about MVC for web apps. A MVC web app can send information typed by the user back to servers (the server hosting the web app) HTML by itself sends it in plain text (not safe as anyone can dump it and see the values). Does the ASP .NET MVC framework provide a way to secure the data? – Rick Mar 18 '17 at 00:08
  • Your ASP.NET MVC application sends an HTML page to the end user's browser. At that point, it's beyond the control of your application, until that data gets sent back. You have no control of the HTML form except through javascript. So short answer, no, it doesn't work that way, and ASP.NET MVC has no way to secure that data. –  Mar 18 '17 at 00:17

2 Answers2

1

The only (achievable) way to securely send any sensitive message between a web server and a client's web browser is via HTTPS/SSL - otherwise, your message will always be interceptable by a MITM attack, which is not really possible with a proper HTTPS setup (and this post too).

You could theoretically role out a custom-JS encryption and a custom decryption, but even then, your JS can easily be unminified and eventually de-obfuscated, assuming it was even obfuscated to begin with, which would no longer secure your custom encryption, assuming you could've gotten it working securely to begin with.

This answer goes into more detail on why you cannot secure a web application without HTTPS/SSL.

Community
  • 1
  • 1
James Haug
  • 1,426
  • 12
  • 27
1

MVC is just an architectural design pattern which microsoft set it as a standard for developing web apps. And many other frameworks use MVC as pattern for developing web apps under their framework(exp. Spring MVC). Basically MVC is everywhere, don't get confused if you don't see Model, View, Controller folders, believe me it's there. So about sensitive information, there is mechanism to prevent Cross-Site Request Forgery and other hacks, but if your sending requests over http, it's useless, you are sending naked request that everybody can easily sniff. So that's why https is always used where sensitive data is being passed from your computer to server. Every time you open connection to server, for example posting form, https will provide you encrypted communication with server where you can pass sensitive data without any concern. That's basic concept, and it's applied whatever framework you choose. So your answer is NO. Here is the link how you can protect asp.net app.

Miki Miljkovic
  • 11
  • 3