1

I've created a login page with some simple SQL query function & i'm trying to encrypt my URL query string, but it seems there's some problem with it, everytime after i used my "button" function the URL reveals itself. May i know what's the problem with me coding? Remark: I've putted "QueryStringModule" at the web config system.web & system.webServer

Here's the QueryStringModule.cs code i used:

#region Using
using System;
using System.IO;
using System.Web;
using System.Text;
using System.Security.Cryptography;

#endregion

/// <summary>
/// Summary description for QueryStringModule
/// </summary>
public class QueryStringModule : IHttpModule
{

#region IHttpModule Members

public void Dispose()
{
    // Nothing to dispose
}

public void Init(HttpApplication context)
{
    context.BeginRequest += new EventHandler(context_BeginRequest);
}

#endregion

private const string PARAMETER_NAME = "enc=";
private const string ENCRYPTION_KEY = "key";

void context_BeginRequest(object sender, EventArgs e)
{
    HttpContext context = HttpContext.Current;
    if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
    {
        string query = ExtractQuery(context.Request.RawUrl);
        string path = GetVirtualPath();

        if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
        {
            // Decrypts the query string and rewrites the path.
            string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
            string decryptedQuery = Decrypt(rawQuery);
            context.RewritePath(path, string.Empty, decryptedQuery);
        }
        else if (context.Request.HttpMethod == "GET")
        {
            // Encrypt the query string and redirects to the encrypted URL.
            // Remove if you don't want all query strings to be encrypted automatically.
            string encryptedQuery = Encrypt(query);
            context.Response.Redirect(path + encryptedQuery);
        }
    }
}

/// <summary>
/// Parses the current URL and extracts the virtual path without query string.
/// </summary>
/// <returns>The virtual path of the current URL.</returns>
private static string GetVirtualPath()
{
    string path = HttpContext.Current.Request.RawUrl;
    path = path.Substring(0, path.IndexOf("?"));
    path = path.Substring(path.LastIndexOf("/") + 1);
    return path;
}

/// <summary>
/// Parses a URL and returns the query string.
/// </summary>
/// <param name="url">The URL to parse.</param>
/// <returns>The query string without the question mark.</returns>
private static string ExtractQuery(string url)
{
    int index = url.IndexOf("?") + 1;
    return url.Substring(index);
}

#region Encryption/decryption

/// <summary>
/// The salt value used to strengthen the encryption.
/// </summary>
private readonly static byte[] SALT = Encoding.ASCII.GetBytes(ENCRYPTION_KEY.Length.ToString());

/// <summary>
/// Encrypts any string using the Rijndael algorithm.
/// </summary>
/// <param name="inputText">The string to encrypt.</param>
/// <returns>A Base64 encrypted string.</returns>
public static string Encrypt(string inputText)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    byte[] plainText = Encoding.Unicode.GetBytes(inputText);
    PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);

    using (ICryptoTransform encryptor = rijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16)))
    {
        using (MemoryStream memoryStream = new MemoryStream())
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
            {
                cryptoStream.Write(plainText, 0, plainText.Length);
                cryptoStream.FlushFinalBlock();
                return "?" + PARAMETER_NAME + Convert.ToBase64String(memoryStream.ToArray());
            }
        }
    }
}

/// <summary>
/// Decrypts a previously encrypted string.
/// </summary>
/// <param name="inputText">The encrypted string to decrypt.</param>
/// <returns>A decrypted string.</returns>
public static string Decrypt(string inputText)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    byte[] encryptedData = Convert.FromBase64String(inputText);
    PasswordDeriveBytes secretKey = new PasswordDeriveBytes(ENCRYPTION_KEY, SALT);

    using (ICryptoTransform decryptor = rijndaelCipher.CreateDecryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
    {
        using (MemoryStream memoryStream = new MemoryStream(encryptedData))
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
            {
                byte[] plainText = new byte[encryptedData.Length];
                int decryptedCount = cryptoStream.Read(plainText, 0, plainText.Length);
                return Encoding.Unicode.GetString(plainText, 0, decryptedCount);
            }
        }
    }
}

#endregion

}

Here's the code of my button function:

protected void Button1_Click(object sender, EventArgs e)
    {
        string sONbr = sONbrTextBox.Text;
        string SOLine = sOLineTextBox.Text;
        string SerialNbr = serialNbrTextBox.Text;
        string PalletID = palletIDTextBox.Text;
        string PackingListNo = PackingListNoTextBox.Text;
        string StatusCode = statusCodeComboBox.Text;
        string PackType = packTypeComboBox.Text;
        string CrUserID = Request.QueryString["LogInUser"].ToString();

        if (string.IsNullOrWhiteSpace(sONbr) || string.IsNullOrWhiteSpace(SOLine) || string.IsNullOrWhiteSpace(PalletID) || string.IsNullOrWhiteSpace(PackingListNo) || string.IsNullOrWhiteSpace(StatusCode) || string.IsNullOrWhiteSpace(PackType))
        {
            status_lbl.Text = "Please fill in all the information.";
            status_lbl.Visible = true;
            GridView1.Visible = false;
            return;
        }

        else if (string.IsNullOrWhiteSpace(CrUserID))
        {
            status_lbl.Text = "Please login your account!";
            status_lbl.Visible = true;
            ClientScript.RegisterStartupScript(Page.GetType(), "validation", "<script language='javascript'>alert('Please login your account!')</script>");
            Response.Redirect("Login Page.aspx");
            GridView1.Visible = false;
            return;
        }

        else
        {

            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["constr_TESTINGSystem"].ToString());
            conn.Open();

            SqlCommand comm = conn.CreateCommand();
            comm.CommandType = CommandType.StoredProcedure;
            comm.CommandText = "usp_TagNumberUpdate";

            comm.Parameters.AddWithValue("@sONbr", sONbr);
            comm.Parameters.AddWithValue("@SOLine", SOLine);
            comm.Parameters.AddWithValue("@SerialNbr", SerialNbr);
            comm.Parameters.AddWithValue("@PalletID", PalletID);
            comm.Parameters.AddWithValue("@PackingListNo", PackingListNo);
            comm.Parameters.AddWithValue("@StatusCode", StatusCode);
            comm.Parameters.AddWithValue("@PackType", PackType);
            comm.Parameters.AddWithValue("@CrUserID", CrUserID);

            SqlParameter ReturnVal = comm.Parameters.Add("@return", SqlDbType.NVarChar,200);
            ReturnVal.Direction = ParameterDirection.Output;

            comm.ExecuteNonQuery();

            string val = (string)ReturnVal.Value;

            conn.Close();
            status_lbl.Text = val;
            status_lbl.Visible = true;
            CheckBox1.Checked = false;
            serialNbrTextBox.ReadOnly = true;
            serialNbrTextBox.BackColor = System.Drawing.ColorTranslator.FromHtml("#A9A9A9");
            serialNbrTextBox.Text = "N/A";
            sONbrTextBox.Text = sOLineTextBox.Text = palletIDTextBox.Text = PackingListNoTextBox.Text = "";
            GridView1.Visible = false;
        }
    }

protected void Button2_Click(object sender, EventArgs e)
    {
        string sONbr = sONbrTextBox.Text;
        string SOLine = sOLineTextBox.Text;
        string SerialNbr = serialNbrTextBox.Text;

        if (string.IsNullOrWhiteSpace(sONbr) || string.IsNullOrWhiteSpace(SOLine) || string.IsNullOrWhiteSpace(SerialNbr))
        {
            status_lbl.Text = "Please fill in SO #, SO LINE & SERIAL NO to check record.";
            status_lbl.Visible = true;
            GridView1.Visible = false;
            return;
        }

        else
        {
            status_lbl.Text = "Inquiry Successful!";
            status_lbl.Visible = true;
            GridView1.Visible = true;
        }
    }
Improve this question
2
  • Are you not calling RewritePath which redirects the user to a new web page/URL? Commented Dec 30, 2013 at 15:01
  • The login page that redirect to second page works perfectly & the URL was encrypted, but when i use my button function the URL automatically changed into the query string details & decrypted. But my button function doesn't redirect to any pages. That's what i'm confuse about. Commented Dec 30, 2013 at 15:29

1 Answer 1

Reset to default
1

How to encrypt query string in ASP.NET.

    private static string Key = "ABC123DEF456GH78";
    private static byte[] GetByte(string data)
    {
        return Encoding.UTF8.GetBytes(data);
    }

    public static byte[] EncryptString(string data)
    {
        byte[] byteData = GetByte(data);
        SymmetricAlgorithm algo = SymmetricAlgorithm.Create();
        algo.Key = GetByte(Key);
        algo.GenerateIV();

        MemoryStream mStream = new MemoryStream();
        mStream.Write(algo.IV, 0, algo.IV.Length);

        CryptoStream myCrypto = new CryptoStream(mStream, algo.CreateEncryptor(), CryptoStreamMode.Write);
        myCrypto.Write(byteData, 0, byteData.Length);
        myCrypto.FlushFinalBlock();

        return mStream.ToArray();
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.