13

I want to encrypt the Id part of a given url and I used SHA-1 for that. This algorithm convert the id to the following string:

NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8=|h1bCRiN5zxexiIhHp+qNEQ0jVh/8fMGiIkeTf30LVdU=

Therefore, my final url would be something like this:

http://localhost:9432/Product/Edit/NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8=|h1bCRiN5zxexiIhHp+qNEQ0jVh/8fMGiIkeTf30LVdU=

This url has some character which cause the request fail. For example ‘+’ is not allowed in url. So I used HttpUtility.UrlEncode() on the encrypted Id and got this string as a result:

NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8%3d%7ch1bCRiN5zxexiIhHp%2bqNEQ0jVh%2f8fMGiIkeTf30LVdU%3d

Now my url is:

http://localhost:9432/Product/Edit/NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8%3d%7ch1bCRiN5zxexiIhHp%2bqNEQ0jVh%2f8fMGiIkeTf30LVdU%3d

However using the above url cause the following error:

The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.

I can ignore that by inserting the below code in web.config:

<system.webServer>
   <security>
      <requestFiltering allowDoubleEscaping="true" />
   </security>
</system.webServer>

Now I have two questions:

  1. Why the result of HttpUtility.UrlEncode() causes any kind of error. As I noticed, the result of that doesn’t contain any illegal character for a url?

  2. As I understood putting <requestFiltering allowDoubleEscaping="true" /> is not a good solution, since it will create a security hole in the application, so what would be the best solution in this case?

mohammad
  • 1,018
  • 2
  • 14
  • 27

1 Answers1

4

the result of HttpUtility.UrlEncode() doesn't contain errors, it is just encoding the + sign with will be detected on IIS level. IIS rejects "+" in URLs by default. Your work around will work:

<requestFiltering allowDoubleEscaping="true" />

but as you said, it will create some security problems because this makes your site more vulnerable to malicious URLs.

What i suggest, either you use another encryption algorithm that doesn't generate these "IIS" sensetive characters, or if you wanna use the above workaround, you need to implement proper URL/User-Input validations in order to make sure that you catch and prevent all suspecious entries.

alaa_sayegh
  • 2,141
  • 4
  • 21
  • 37