0

In an existing web application project, there is a need to prevent raw ids being supplied to front end. Like following html:

<select name="InvoiceId">
     <option value="1">Bill_1</option>
     <option value="2">Bill_2</option>
</select>

to

<select name="InvoiceId">
     <option value="encryptedString1">Bill_1</option>
     <option value="encryptedString2">Bill_2</option>
</select>

Apart from above, there would be hidden input fields, attributes, etc. with sensitive ids. And they are being populated by controller's action returning JsonResult, ViewResult, etc.

Purpose is to secure the raw private ids being seen in the front end html source, and finally to make the change of front end ids useless(as upon decryption altered ids will be random gibberish).

For decryption one option would be to use model binder in MVC pipeline which would read the value and check if this is encrypted(perhaps by checking if it starts by some std string like BCrypt) and then decrypt, helping to not make any code change for decryption throughout the application.

Like so if anyone can suggest a way to implement encryption as a part of the application pipeline(perhaps by result filter?), so that developers are also forced to encrypt any property carrying sensitive data(perhaps which are marked with a custom attribute, like 'SensitiveInfo')

Key for encryption/decryption is also in question, perhaps which will be logged in user's sessionid with a random salt. And algorithm which will be fast enough.

Can someone suggest best way to implement this in existing web application?

Please note that application stack is .net MVC 5, JavaScript/jQuery, Dapper.

CodeNinja
  • 21
  • 3

1 Answers1

0

I think doing this server side is more dynamic since you have Razor pages om your side. As you said:

prevent raw ids being supplied to front end.

In this case: Encrypting & Decrypting a String in C#

In case of cliënt side. Take a look at the following: JavaScript string encryption and decryption?

Here you can find the CryptoJs docs/examples and usage: https://cryptojs.gitbook.io/docs/

Here is your example where the value is encrypted: https://jsfiddle.net/monvtf7j/3/

Don't forget to check the console for output otherwise navigate to HTML element and check the value (in browser in fidler)

var sensitiveIdOne = "1129932ABC";
var encrypted = CryptoJS.MD5(sensitiveIdOne);

$("#1").attr("value", encrypted);
console.log($("#1").attr("value"));
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js"></script>

<select name="InvoiceId">
     <option id="1">Bill_1</option>
     <option id="2">Bill_2</option>
</select>
Anton Rashchenko
  • 81
  • 8
  • Thanks for the quick response. The thing is I really don't want to use client side encryption as it can decryption in the client side itself. The requirement is to encrypt every sensitive info(like ids on edit) using server side and decrypt on same. – CodeNinja Jun 24 '20 at 19:22
  • The link is for encrypting and decrypting only, that's great! But primarily as I stated that I am looking for a way to do it in best way possible. Like I stated, I can use model binder in MVC pipeline for decryption when form is submitted, likewise if encryption can be done from single source when result is send via Json & View. I don't want to manually do it for each and every property, and then ask devs to keep in mind in future to do so – CodeNinja Jun 24 '20 at 20:20