Protect QueryString Variables

Question

User1184219156 posted

Hello,

I need to place a primary key into the query string and want to protect against semantic URL attacks.  I was initially going to place a guid in the query string, but have read that this is "bad form".

What is the best way to prevent semantic URL attacks in ASP.NET?

Thanks.

Answer 1

User1211441112 posted

If you want to avoid this type of attacks better use session instead of querystring. Or use tamper proof querystring

http://www.codeproject.com/Articles/9512/Tamper-Proof-Query-String

Answer 2

User1779161005 posted

Session is a bad idea for this, IMO. I'd leave the ID in the query string, but just do a security check in the server if the current user has access to that ID. If the user hacks the ID then you're checking to see if they're allowed access to the new ID.

Answer 3

User1028671202 posted

I've just used a GUID in the query string. It isn't very pretty but it is much easier to debug and is harder to guess values.

Answer 4

User1779161005 posted

This doesn't solve the problem 100% -- you still need to check that the current user is allowed to modify the data associated with the guid. Imagine if one user shared their URL (with guid) with another user.

Answer 5

User-1681926258 posted

make habit of using encrypted querystring.

just encrypt querystring before you pass and always decrypt it on request qurystring.

Answer 6

User1028671202 posted

I concur, it doesn't remove the need to check permissions on the page load.

Answer 7

User1779161005 posted

make habit of using encrypted querystring.

just encrypt querystring before you pass and always decrypt it on request qurystring.

This does nothing to prevent unauthorized users re-playing the query string parameter.

Answer 8

User378854481 posted

use url rewritting for

visit http://www.iis.net

and download url rewritter admin

and chage your url according this

http://www.youtube.com/watch?v=PYxabNrIMQ4

Answer 9

User-1925886989 posted

You should always validate at server side.

Best regards

Answer 10

User-1782862218 posted

One approach is to use an in session. key translation lookup.  It is a bit heavy handed, but has it's purpose. It is particularly useful in cases when the primary key represents something sensitive or unique to the user.  On each resource access, the user's supplied keys (Guids?) are translated into the true primary key values and passed into the business logic.

This can have some negative implications such as caching and bookmarking.  See Top 10 2010-A4-Insecure Direct Object References.