Readable data in querystring on HTTP Get

Question

We've had a penetration test on a website and they're saying we shouldn't be passing readable data in a querystring (it's an Email Address).

The querystring is being created by the application when ModelState.isValid fails and it returns the model to the view with a HTTP GET. We are being told the EmailAddress value should be encrypted (the site is SSL).

The penetration result :

GET /Membership/RegisterMe?__RequestVerificationToken=26Oajd6AG17YkHhyZz8-pArBuKEEer7V0b86f0aR_jHXs2JqYRE8NHvhz1zCcKWtQ6eVtxtdkTvC6HjG1ami2d-2CPn8Ieedwc77fIoMB941&EmailAddress=SomeOnesEmail.com

We tried to convert the value after it's submitted by doing the following in the controller, so if validation fails it will returns an encrypted value in the querystring:-

 ModelState.Remove("EmailAddress");
 model.EmailAddress = Helpers.Encryption.Encrypt(model.EmailAddress);

But it loses the validation messages on the property, for example if it's an invalid email address.

Answer 1

Turns out using HTML Helpers in your View makes it difficult to change Model values on Postback (validation fail). It will always return the original values from the HTML helpers in the form. You can change it like so:-

    ModelState.Remove("EmailAddress"); 
    Model.EmailAddress = //new value; 

My problem was I needed to keep the EmailAddress value but encrypt it before Postback, so the value is not exposed in the querystring. The above was no good as using ModelState.Remove, you also lose the Validation message (invalid Email Address etc.).

Reason was because of the HTML Helpers in the form - @Html.TextBoxFor. Changed this to

<input type="text" name="EmailAddress"> 

You can then change the value in the controller before postback and maintain the validation errors

Model.EmailAddress = Encrypt(Model.EmailAddress);

The postback value is encrypted and the appropriate validation error messages are displayed to the user in the View. Then did some simple code in the View to decrypt the Model.EmailAddress.