开发者

Where is the "right" place to check if a querystring has been tampered with?

开发者 https://www.devze.com 2023-01-29 02:25 出处:网络
I want to add Querystring \"checking\" and logging in the case of any \"tampered with\" querystrings.Is the Page开发者_运维知识库_Init event on a given page the right place to do that in the ASP.Net p

I want to add Querystring "checking" and logging in the case of any "tampered with" querystrings. Is the Page开发者_运维知识库_Init event on a given page the right place to do that in the ASP.Net page lifecycle?


My general rule is to do everything as early as possible. This might even include checking as early as Application.BeginRequest (which occurs may events before the page is even loaded), so long as query string verification is not page-dependent.

The question here is "What do you consider to be tampering?" Invalid keys? Invalid values? Attempts to encode tags that might hopefully be written to the resulting page as part of an XSS attack?

It's hard to give any sort of specific advice without knowing more about what you're trying to accomplish.

EDIT: To access the application events, add a Global Application Class to your project from the 'Add New Item' option.

Every request triggers the application lifecycle, and the page lifecycle is just a sub-process within that when the request handler happens to be an aspx file.

EDIT2: Cleaning query string data depends entirely on what you are using the data for. Some potentially dangerous uses for query string data include:

  • Values for an SQL command: SQL injection can be largely mitigated by using 'parameterised queries'.
  • File locations: This could be used to make the server cough up any file on the hard drive if NTFS permissions on the server are lax.
  • Values written into the HTML response: A user could encode a tag and execute some JavaScript. Be sure to use Server.Encode() or manually cleanse the string.
  • ID values: If you are using the query string to store ID values, a user could replace those with others in at attempt to access information about things they shouldn't see, an example of which may be:

    http://domain.com/somepage.aspx?userid=1343243

The user makes an educated guess and changes this to:

http://domain.com/somepage.aspx?userid=0

And that could bring up the admin user.


What we follow in our project to use encrypt and decrypt querystring. I can send you that class for encrypt and decrypt function. But for reference you can start with following URL if it helps.

http://geekswithblogs.net/casualjim/articles/64639.aspx

Now in this if it is tempered, it could not be decrypted. You can write page level exception for it and redirect to proper error page.

Let me know if you require more information on any specific point.

Cheers!!!

0

精彩评论

暂无评论...
验证码 换一张
取 消