-1

My programming knowledge is not very good. So here I discussed query string and route data security. Please review my approach and tell me am I thinking right way.

Often we work with query string and route data pass to controller action. So user can edit those data. For security purpose I do not allow to user edit route and query string data.

So I thought i will create a hash using those query string and route data and append that hash to end of URL.

  1. Is my thinking correct?
  2. Should I hash or encrypt query string and route data?
  3. Which one will be best...hashing or encrypt query string and route data?

This is the way I am doing it now. Here is bit code snippet:

@Html.ActionLink("Test", "Index", new { page = 1, q = Utility.HashData("Hello") })

public static class Utility
{
    public static string HashData(string input)
    {
        string retdata="";
        string salykey = "!xcorb@sinon_";
        byte[] inputBytes = Encoding.UTF8.GetBytes(string.Concat(input, salykey));
        SHA512Managed sha512 = new SHA512Managed();

        byte[] outputBytes = sha512.ComputeHash(inputBytes);
        string b64 = Convert.ToBase64String(outputBytes);
        b64 = b64.Replace('+', '-');
        retdata = b64.Replace('/', '_');
        return retdata;
    }
}

I am hashing data hello and now URL look like http://localhost:61151/Home/Index/1?q=NhX4DJ0pPtdAJof5SyLVjlKbjMeRb4-sf933-9WvTPd309eVp6AKFr9-fz-5Vh7puq5IDan-ehh2nnGIawPzFQ%3D%3D

Is it ok?

I just hash Hello and now see how big hash has been generated. So when I will hash many query string and route data together then my hash data will be huge. So if it will be huge that may cause an issue because the URL length must has some limitation....am I right?

  1. Can I shorten hashing data length? If possible then which hashing algorithm I should use?

Please discuss my points and drive me to right direction. Thanks.

NightOwl888
  • 55,572
  • 24
  • 139
  • 212
Mist
  • 684
  • 9
  • 30
  • 1
    Why in the world do you think you need to do that. And what do you think it solves from a security point of view? –  Feb 16 '18 at 09:49
  • if you search google with tamper proof querystring then you will find lots of article links where they showing we should hashing or encrypt query string data...all they are wrong ? – Mist Feb 16 '18 at 09:56
  • one link https://madskristensen.net/blog/httpmodule-for-query-string-encryption/ here MS guy show we should encrypt querystring but i hash it...this is the difference. – Mist Feb 16 '18 at 10:00
  • What is the problem you trying to solve? And how to you think that prevents 'tampering'? –  Feb 16 '18 at 10:00
  • @kayess please tell me what worse can happen if we hash querystring. – Mist Feb 16 '18 at 10:00
  • 2
    A hash cannot be decrypted. So your application has no way to know what the original string was – Steve Harris Feb 16 '18 at 10:01
  • another good link for asp.net mvc https://www.codeproject.com/Articles/1127126/Prevent-Url-Tampering-in-Asp-net-MVC – Mist Feb 16 '18 at 10:07
  • 4
    Again, what are your trying to do? You do NOT handle security via a query string. You handle security on the server. –  Feb 16 '18 at 10:08
  • i am looking for approach that user should not be able to tamper query string from client side. to protect it hashing or encrypting query string does not make sense? – Mist Feb 16 '18 at 11:21
  • https://www.experts-exchange.com/questions/26807050/HASH-with-SALT-using-SHA512.html – Mist Feb 16 '18 at 11:53
  • 2
    @Mist. First (as already noted) hashing is a one way action - you cannot reverse it so that is not something you can even consider. Second, for the umpteenth time, what make you think that encrypting makes it 'tamper proof' (a user can enter what ever they want in the address bar). So again why are you doing this - it does nothing to help secure your app. –  Feb 16 '18 at 11:56
  • If you want security, the first step is authorization/authentication (by making the user login in order to navigate to your site). Then if you have a page to say edit something, and only a certain user or group of users are permitted to do edit a specific record, then you check that in the controller method and redirect if they do not have the necessary permissions. –  Feb 16 '18 at 12:01
  • @StephenMuecke user can edit anything in url in browser address bar but if user does and send request to server then there i will have a action filter where i will match hash of querystring data and incoming hash...if match then allow otherwise redirect to error page. – Mist Feb 16 '18 at 12:47

1 Answers1

1

Should I hash or encrypt route and query string data?

Hashing

As pointed out by others, hashing implies that the data is irreversibly encoded so this is not an option.

Route Data

Route data is read by MVC and used to make MVC function correctly. Unless it is passed to the route via the URL path, route data is not even accessible outside of the web server. So, the answer is no don't encrypt route values.

Query Strings

Query strings on the other hand are exposed to users. So if you have any data you want to be kept from view, it is recommended to pass it via form POST values rather than through a URL. Never pass data you want to be private through the query string (encrypted or not).

From How Secure Are Query Strings Over HTTPS?:

You can rely on an HTTPS request being secure so long as:

  • No SSL certificate warnings were ignored
  • The private key used by the web server to initiate the SSL connection is not available outside of the web server itself.

So at the network level, URL parameters are secure, but there are some other ways in which URL based data can leak:

  1. URLs are stored in web server logs
  2. URLs are stored in the browser history
  3. URLs are passed in Referrer headers

So a malicious user could potentially copy a URL from one of these locations.

In summary:

  1. The best option is to never let private data leave the server. Keep it in a database, cache, session state, or TempData (which uses session state by default). Less sensitive data may be encrypted and stored in cookies on the client.
  2. If you need to pass sensitive data from the user to your application, do it through form values via HTTP POST and always use SSL encryption on these requests.
  3. URLs are designed to be public and will almost certainly be kept around in logs. Assume that everyone can access them. Never pass any sensitive data (encrypted or not) through the URL.
Community
  • 1
  • 1
NightOwl888
  • 55,572
  • 24
  • 139
  • 212
  • see this link what i am trying to achieve https://www.codeproject.com/Articles/130588/Preventive-Method-for-URL-Request-Forgery-An-Examp are they doing wrong to hash data in url to guard against url forgery? – Mist Feb 20 '18 at 14:36