Results 1 to 6 of 6

Thread: querystring security ideation

  1. #1

    Thread Starter
    Junior Member
    Join Date
    Mar 2014
    Posts
    16

    querystring security ideation

    I have this custom menu control. The menu functions depend on the query string and the state of the object in the database. If the user modifies the querystring values they can change the object in the database. I'm trying to figure out a way to protect it.

    I've found a few ways.
    1. Encryption. Problem with this though is that I have calls like this all over my code base:
    Code:
    "Response.Redirect("../Default.aspx?goalTypeList=completed")" 
    "../Activity/ListActivity.aspx?gNum=" & currentGoal.goalNumber & "&goalChangeState=complete"
    It would be a real pain in the neck to have to encrypt all the values and then test all of it too. Yuck.

    2. Session State
    I could move the querystring values into the session state. That would get rid of the query string, but is that safe? From my research hacking the session state is kinda hard. Is that true?

    3. Use the Response headers. Again that is possible but I'm wondering again how hackable that is?

    4. Check Object State on functions
    In the beginning I said that the menu control functions are created depending on what the user told the site to do and also the state of the object in the database. But when the user clicks on a menu function there isn't any checking done. That maybe a bad design, but it seems redundant to have to check the state to load the correct menu functions and then have to do the same checks when the user clicks on the menu function to make sure that the user can actually perform that function on the object.

    However, this would guarantee the user doesn't perform a bad operation on an object. This is probably the only way to hack proof the problem because the server checks the request and response state. The other three options the user could probably hack it given enough resources and time.

    This would probably be the easiest way to implement it, but it's basically doing the same thing twice. I really don't want to repeat myself in my code base.

    Side note: Now that I think about it. Whats funny is that normally the easiest solution to any programming problem is to just copy and paste code. Why is that?

    What's the industry practice? How do people usually deal with this issue? I see that that vbforums use querystrings and depending on where you are you can do different things. Does vbforums check the querystring values when the page is loaded and then again when the user clicks on the option?

    Thanks.

  2. #2
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,597

    Re: querystring security ideation

    Hey, you can read about "get" and "post" implementations.
    Basically you are doing a get that could modify data on the server, that is not a good practice.
    Probably the most common thing you can do is use certificates for your client server transactions but i would highly recommend getting rid of any querystring that modify data, even if it takes you time, you will be in a lot less trouble afterwards.
    If you want to go full server side, as i see now, then you can use sessions. Session is deployed on the server so in theory, it's hard to hack but someone can view your post transactions, that is why i said use a certificate.
    A couple of month ago, there was a big fuss about how certificates were hacked and MS and Google trying to find a new implementation so nothing is completely safe.
    I personally use client side transactions with web services, so it's Javascript with encryption and on the top of that a certificate.I don't thing i can do something more secure than that but i know it can be hacked, so i always keep backup of the server.
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

  3. #3

    Thread Starter
    Junior Member
    Join Date
    Mar 2014
    Posts
    16

    Re: querystring security ideation

    Do you have an example that I can look at?

  4. #4
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,597

    Re: querystring security ideation

    Example of which one?
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

  5. #5

    Thread Starter
    Junior Member
    Join Date
    Mar 2014
    Posts
    16

    Re: querystring security ideation

    Quote Originally Posted by sapator View Post
    Example of which one?
    I was wondering if you had a link or a source where I could read about
    Hey, you can read about "get" and "post" implementations? Maybe some code examples because I'm not very familiar with the terminology.

  6. #6
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,597

    Re: querystring security ideation

    Well nothing in specific. A Google search will give you a lot of resources. You are doing a get right now, as i've said, with the querystring.
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width