Home > Others

Url parameter Security Processing

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

A friend asked me a question about Url parameter security a few days ago. Since most of my work was performed on internal websites, security was hardly involved, in many cases, the parameter names and parameter values in the Url are directly exposed to the client. This poses a serious security risk.

The main methods for processing Url parameters include encrypting parameter strings and using the Post method.

The common encryption method is to encrypt strings in Base64 mode:

  

View Code 

1 /// <summary> 2 /// Base64 encoding method 3 /// </summary> 4 public class Base64 5 {6 /// <summary> 7 // Encryption 8 // </summary> 9 // <param name = "str"> plain text (UTF-8) </param> 10 // <returns> ciphertext </returns> 11 public static string Encode (string plainText) 12 {13 return Encode (plainText, "UTF-8 "); 14} 15 16 /// <summary> 17 // encrypt 18 /// </summary> 19 /// <param name = "plainText"> plainText </param> 20 /// <param name = "name"> encoding name </param> 21 /// <returns> ciphertext </returns> 22 public static string Encode (string plainText, string name) 23 {24 byte [] bt = Encoding. getEncoding (name ). getBytes (plainText); 25 return Convert. toBase64String (bt ); 26} 27 28 // <summary> 29 // decrypt 30 // </summary> 31 // <param name = "cipherText"> cipherText (UTF-8) </param> 32 // <returns> plaintext </returns> 33 public static string Decode (string cipherText) 34 {35 return Decode (cipherText, "UTF-8 "); 36} 37 38 // <summary> 39 // decrypt 40 // </summary> 41 // <param name = "cipherText"> cipherText </param> 42 // <param name = "name"> encoding name </param> 43 // <returns> plaintext </returns> 44 public static string Decode (string cipherText, string name) 45 {46 byte [] bt = Convert. fromBase64String (cipherText); 47 return Encoding. getEncoding (name ). getString (bt); 48} 49}

In daily use, for example, the Url is http: // localhost/web? Arg1 = 1 & arg2 = 2. After encryption, the data is stored as http: // localhost/web? Args = YXJnMT0xJmFyZzI9Mg =. Of course, in addition to Base64 encryption, other encryption methods can also be used for processing, the same principle.

  

There are many restrictions on using the Post method directly in. net. You need to make some settings on the web. config and page:

The following configuration is required in web. config:

<machineKey    validationKey="AutoGenerate|value[,IsolateApps]"   decryptionKey="AutoGenerate|value[,IsolateApps]"   validation="[SHA1|MD5|3DES]"   decryption="[Auto|]"/>

MSDN describes machineKey as follows:

"Configure the key to encrypt and decrypt the Cookie data and view status data for Forms authentication, and use it to verify the identity of the off-process session status ."

Click the portal for details.

You can use the method provided by RNGCryptoServiceProvider to generate the validationKey and decryptionKey. You can also use the method provided by me to generate the key. The key length is determined by validation:

  

View Code 

protected string CreateKey(int len)         {                byte[] bytes = new byte[len];                new RNGCryptoServiceProvider().GetBytes(bytes);                  StringBuilder sb = new StringBuilder();                  for(int i = 0; i < bytes.Length; i++)                  {                           sb.Append(string.Format("{0:X2}",bytes[i]));                  }                  return sb.ToString();         }

 

With one available Configuration:

View Code 

  <system.web>    <compilation debug="true" targetFramework="4.0" />    <machineKey validation="3DES" validationKey="3B65AC4F524714843D27DCD88D726E84BDDCB218EEEDA563B3A37BCF18624AA388502009F3059504AD1DFF72171C165C" decryption="3DES" decryptionKey="DBDF6B73DD4C1EB68783B8913D6969E247B459A1F1C6E8678BB48F1AB74BE03E35014EFCABA5346AB4EEF062DAD79D26" />  </system.web>

 

In addition, you need to add the ViewStateEncryptionMode and EnableViewStatMac attributes to the Page reference of the Page:

  

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ViewStateEncryptionMode="Never" EnableViewStateMac="false"  %>

 

Page to use the Post method.

  

 

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More