I need to place a primary key into the query string and want to protect against semantic URL attacks. I was initially going to place a guid in the query string, but have read that this is "bad form".
What is the best way to prevent semantic URL attacks in ASP.NET?
Session is a bad idea for this, IMO. I'd leave the ID in the query string, but just do a security check in the server if the current user has access to that ID. If the user hacks the ID then you're checking to see if they're allowed access to the new ID.
This doesn't solve the problem 100% -- you still need to check that the current user is allowed to modify the data associated with the guid. Imagine if one user shared their URL (with guid) with another user.
drake71
0 Points
2 Posts
Protect QueryString Variables
Apr 02, 2012 05:37 PM|LINK
Hello,
I need to place a primary key into the query string and want to protect against semantic URL attacks. I was initially going to place a guid in the query string, but have read that this is "bad form".
What is the best way to prevent semantic URL attacks in ASP.NET?
Thanks.
Vipindas
Contributor
5514 Points
810 Posts
Re: Protect QueryString Variables
Apr 02, 2012 05:51 PM|LINK
If you want to avoid this type of attacks better use session instead of querystring. Or use tamper proof querystring
http://www.codeproject.com/Articles/9512/Tamper-Proof-Query-String
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: Protect QueryString Variables
Apr 02, 2012 05:53 PM|LINK
Session is a bad idea for this, IMO. I'd leave the ID in the query string, but just do a security check in the server if the current user has access to that ID. If the user hacks the ID then you're checking to see if they're allowed access to the new ID.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
trekie86
Member
290 Points
76 Posts
Re: Protect QueryString Variables
Apr 04, 2012 05:54 PM|LINK
I've just used a GUID in the query string. It isn't very pretty but it is much easier to debug and is harder to guess values.
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: Protect QueryString Variables
Apr 04, 2012 06:05 PM|LINK
This doesn't solve the problem 100% -- you still need to check that the current user is allowed to modify the data associated with the guid. Imagine if one user shared their URL (with guid) with another user.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
mikeprince.a...
Member
278 Points
54 Posts
Re: Protect QueryString Variables
Apr 04, 2012 06:08 PM|LINK
make habit of using encrypted querystring.
just encrypt querystring before you pass and always decrypt it on request qurystring.
trekie86
Member
290 Points
76 Posts
Re: Protect QueryString Variables
Apr 04, 2012 06:11 PM|LINK
I concur, it doesn't remove the need to check permissions on the page load.
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: Protect QueryString Variables
Apr 04, 2012 06:13 PM|LINK
This does nothing to prevent unauthorized users re-playing the query string parameter.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
tarunSaini
Contributor
2948 Points
985 Posts
Re: Protect QueryString Variables
Apr 15, 2012 03:06 AM|LINK
use url rewritting for
visit http://www.iis.net
and download url rewritter admin
and chage your url according this
http://www.youtube.com/watch?v=PYxabNrIMQ4
dsalas
Member
2 Points
1 Post
Re: Protect QueryString Variables
Apr 24, 2012 07:36 AM|LINK
You should always validate at server side.
Best regards