locked
Protect QueryString Variables RRS feed

  • Question

  • User1184219156 posted

    Hello,

    I need to place a primary key into the query string and want to protect against semantic URL attacks.  I was initially going to place a guid in the query string, but have read that this is "bad form".

    What is the best way to prevent semantic URL attacks in ASP.NET?

    Thanks.

    Monday, April 2, 2012 1:37 PM

Answers

  • User1779161005 posted

    Session is a bad idea for this, IMO. I'd leave the ID in the query string, but just do a security check in the server if the current user has access to that ID. If the user hacks the ID then you're checking to see if they're allowed access to the new ID.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 2, 2012 1:53 PM

All replies

  • User1211441112 posted

    If you want to avoid this type of attacks better use session instead of querystring. Or use tamper proof querystring

    http://www.codeproject.com/Articles/9512/Tamper-Proof-Query-String

    Monday, April 2, 2012 1:51 PM
  • User1779161005 posted

    Session is a bad idea for this, IMO. I'd leave the ID in the query string, but just do a security check in the server if the current user has access to that ID. If the user hacks the ID then you're checking to see if they're allowed access to the new ID.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 2, 2012 1:53 PM
  • User1028671202 posted

    I've just used a GUID in the query string. It isn't very pretty but it is much easier to debug and is harder to guess values.

    Wednesday, April 4, 2012 1:54 PM
  • User1779161005 posted

    This doesn't solve the problem 100% -- you still need to check that the current user is allowed to modify the data associated with the guid. Imagine if one user shared their URL (with guid) with another user.

    Wednesday, April 4, 2012 2:05 PM
  • User-1681926258 posted

    make habit of using encrypted querystring.

    just encrypt querystring before you pass and always decrypt it on request qurystring.

    Wednesday, April 4, 2012 2:08 PM
  • User1028671202 posted

    I concur, it doesn't remove the need to check permissions on the page load.

    Wednesday, April 4, 2012 2:11 PM
  • User1779161005 posted

    make habit of using encrypted querystring.

    just encrypt querystring before you pass and always decrypt it on request qurystring.

    This does nothing to prevent unauthorized users re-playing the query string parameter.

    Wednesday, April 4, 2012 2:13 PM
  • User378854481 posted

    use url rewritting for

    visit http://www.iis.net

    and download url rewritter admin

    and chage your url according this

    http://www.youtube.com/watch?v=PYxabNrIMQ4

    Saturday, April 14, 2012 11:06 PM
  • User-1925886989 posted

    You should always validate at server side.

    Best regards

    Tuesday, April 24, 2012 3:36 AM
  • User-1782862218 posted

    One approach is to use an in session. key translation lookup.  It is a bit heavy handed, but has it's purpose. It is particularly useful in cases when the primary key represents something sensitive or unique to the user.  On each resource access, the user's supplied keys (Guids?) are translated into the true primary key values and passed into the business logic.

    This can have some negative implications such as caching and bookmarking.  See Top 10 2010-A4-Insecure Direct Object References.

    Tuesday, May 1, 2012 10:50 AM