Where is the “right” place to check if a querystring has been tampered with?
https://stackoverflow.com/questions/4357259
-
08-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I want to add Querystring "checking" and logging in the case of any "tampered with" querystrings. Is the Page_Init event on a given page the right place to do that in the ASP.Net page lifecycle?
المحلول
My general rule is to do everything as early as possible. This might even include checking as early as Application.BeginRequest (which occurs may events before the page is even loaded), so long as query string verification is not page-dependent.
The question here is "What do you consider to be tampering?" Invalid keys? Invalid values? Attempts to encode tags that might hopefully be written to the resulting page as part of an XSS attack?
It's hard to give any sort of specific advice without knowing more about what you're trying to accomplish.
EDIT: To access the application events, add a Global Application Class to your project from the 'Add New Item' option.
Every request triggers the application lifecycle, and the page lifecycle is just a sub-process within that when the request handler happens to be an aspx file.
EDIT2: Cleaning query string data depends entirely on what you are using the data for. Some potentially dangerous uses for query string data include:
- Values for an SQL command: SQL injection can be largely mitigated by using 'parameterised queries'.
- File locations: This could be used to make the server cough up any file on the hard drive if NTFS permissions on the server are lax.
- Values written into the HTML response: A user could encode a tag and execute some JavaScript. Be sure to use Server.Encode() or manually cleanse the string.
ID values: If you are using the query string to store ID values, a user could replace those with others in at attempt to access information about things they shouldn't see, an example of which may be:
The user makes an educated guess and changes this to:
http://domain.com/somepage.aspx?userid=0
And that could bring up the admin user.
نصائح أخرى
What we follow in our project to use encrypt and decrypt querystring. I can send you that class for encrypt and decrypt function. But for reference you can start with following URL if it helps.
http://geekswithblogs.net/casualjim/articles/64639.aspx
Now in this if it is tempered, it could not be decrypted. You can write page level exception for it and redirect to proper error page.
Let me know if you require more information on any specific point.
Cheers!!!
