C# ASP.NET mvc URL encryption

Asked

Viewed 208 times

-1

The q method I’m using to encrypt the URL is working, but sometimes it does the encryption with a / in the middle that makes it not find the desired route.

 public static string EncryptQueryString(string clearText)
        {
            byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
            using (Aes encryptor = Aes.Create())
            {
                var pdb = new Rfc2898DeriveBytes(encryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
                encryptor.Key = pdb.GetBytes(32);
                encryptor.IV = pdb.GetBytes(16);
                using (var ms = new MemoryStream())
                {
                    using (var cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
                    {
                        cs.Write(clearBytes, 0, clearBytes.Length);
                        cs.Close();
                    }
                    clearText = Convert.ToBase64String(ms.ToArray());
                }
            }
            return clearText;
        }

1 answer

0

You can add the System.Web.HttpUtility.UrlEncode() as a treatment for special characters generated by obfuscation.

public static string EncryptQueryString(string clearText)
{
    byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
    using (Aes encryptor = Aes.Create())
    {
        var pdb = new Rfc2898DeriveBytes(encryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
        encryptor.Key = pdb.GetBytes(32);
        encryptor.IV = pdb.GetBytes(16);
        using (var ms = new MemoryStream())
        {
            using (var cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
            {
                cs.Write(clearBytes, 0, clearBytes.Length);
                cs.Close();
            }
            clearText = Convert.ToBase64String(ms.ToArray());
        }
    }
    return System.Web.HttpUtility.UrlEncode(clearText);
}
  • It did not work now is appearing the following error: A possibly dangerous value Request.Path was detected in client (%).

  • That’s another thing, where did this message come from? Show an example of a generated url

  • this was the URL that gave the error: http://localhost:52257/Home/Index/7n0d%252bUcybPgim2Dk1OcXDA%253d%253d? nameZD5Pq9C6IXZ8FbOVOV90g%253d%253d

  • There is nothing wrong with the URL, the error message must be from your antivirus, firewall or proxy rules of your company

  • But if I do deploy the error will continue for users?

  • sends a print of this error screen

  • Link pro print: https://drive.google.com/open?id=1OBlKxBK4Xs5-WdcB6f7mj33mh7NaZj96

  • now I understand, but because you want to encrypt a route parameter?

  • for example, when the guy accesses a screen to change profile for example, in the url is the user id, then any logged in user can simply type the id and have access to the data of another user, I thought this way, would have another way to stop this security breach?

Show 4 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.