Encrypit the query string value in location bar /Status bar idsplay

Discussion in 'ASP General' started by Jawahar Rajan, Jul 15, 2003.

  1. All,
    1) When using the QueryString of the request object the actual values are
    exposed to the viewer of the site and often user pickup on these values and
    start changing them . This can lead user to see data that they are not
    supposed to or even data that may be erroneous.
    Is there an easy way to encrypt the querystring values that get displayed on
    the location bar / other than not using querystring.

    2) Can I use java script to disable the status bar, at the bottom of the
    page to not expose the URL's of various links on a page? (I know this is
    probably a JavaScript question.)

    Any help or suggestions are always welcome.

    Jawahar
     
    Jawahar Rajan, Jul 15, 2003
    #1
    1. Advertising

  2. Jawahar Rajan

    Evertjan. Guest

    Hi, Jawahar,

    Jawahar Rajan wrote on 15 jul 2003 in
    microsoft.public.inetserver.asp.general:
    > 1) When using the QueryString of the request object the actual values
    > are exposed to the viewer of the site and often user pickup on these
    > values and start changing them . This can lead user to see data that
    > they are not supposed to or even data that may be erroneous.
    > Is there an easy way to encrypt the querystring values that get
    > displayed on the location bar / other than not using querystring.


    use form/post, and catch that with

    <% r=request.form("myInputValue") %>

    > 2) Can I use java script to disable the status bar, at the bottom
    > of the page to not expose the URL's of various links on a page?


    No, this is only settable by the user, as it should be.
    It is not the right of the web programmer to interfere withe the rights
    of the user.

    > (I know this is probably a JavaScript question.)


    It does not matter if it is a js or vbs question, as ASP can support
    both.

    It is a clientside, and not a serverside question.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Jul 15, 2003
    #2
    1. Advertising

  3. Jawahar Rajan

    Evertjan. Guest

    VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
    >> use form/post, and catch that with
    >>
    >> <% r=request.form("myInputValue") %>
    >>

    > So would that make the whole process secure ??


    Not at all. Who was talking about secure?
    Why would you want to make things secure from the user.

    I just answered the question how not to see the querystring in the
    adressbar.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Jul 15, 2003
    #3
  4. Jawahar Rajan

    Evertjan. Guest

    VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:

    > Evertjan. wrote:
    >> VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
    >>>> use form/post, and catch that with
    >>>>
    >>>> <% r=request.form("myInputValue") %>
    >>>>
    >>> So would that make the whole process secure ??

    >>
    >> Not at all. Who was talking about secure?
    >> Why would you want to make things secure from the user.
    >>
    >> I just answered the question how not to see the querystring in the
    >> adressbar.

    >
    > The OP question was
    > "Is there an easy way to encrypt the querystring values that get
    > displayed on
    > the location bar / other than not using querystring."
    > And You suggested using "request.form" and so i had to question how
    > it was secure.


    Sure, but how would you encrypt something by not using it?

    I tried to explain this was not possible, implicitly thinking that we
    were talking <a href="/file.asp?qwert=7">, but security did not come
    into it.

    btw:

    Perhaps the answer should have been:

    1
    "By submitting a form method=query the querystring is not seen on the
    status bar."

    or

    2
    "By using <span onclick="/file.asp?qwerty=7"> the querystring is not seen
    on the status bar."

    or

    3
    "the value on the querystring can easily be encrypted and serverside
    decripted with rot13"

    VBS Rot13 function:

    Function ROT13(szInput)
    coding = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM"
    coding = coding & lcase(coding)

    For i = 1 To Len(szInput)
    character = Mid(szInput, i, 1)
    position = InStr(coding, character)
    If position > 0 Then character = Mid(coding, position + 13, 1)
    txt = txt & character
    Next
    ROT13 = txt
    End Function




    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Jul 15, 2003
    #4
  5. Jawahar Rajan

    VK Guest

    Evertjan. wrote:
    > VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
    >
    >> Evertjan. wrote:
    >>> VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
    >>>>> use form/post, and catch that with
    >>>>>
    >>>>> <% r=request.form("myInputValue") %>
    >>>>>
    >>>> So would that make the whole process secure ??
    >>>
    >>> Not at all. Who was talking about secure?
    >>> Why would you want to make things secure from the user.
    >>>
    >>> I just answered the question how not to see the querystring in the
    >>> adressbar.

    >>
    >> The OP question was
    >> "Is there an easy way to encrypt the querystring values that get
    >> displayed on
    >> the location bar / other than not using querystring."
    >> And You suggested using "request.form" and so i had to question how
    >> it was secure.

    >
    > Sure, but how would you encrypt something by not using it?
    >
    > I tried to explain this was not possible, implicitly thinking that we
    > were talking <a href="/file.asp?qwert=7">, but security did not come
    > into it.
    >
    > btw:
    >
    > Perhaps the answer should have been:
    >
    > 1
    > "By submitting a form method=query the querystring is not seen on the
    > status bar."
    >
    > or
    >
    > 2
    > "By using <span onclick="/file.asp?qwerty=7"> the querystring is not
    > seen on the status bar."
    >
    > or
    >
    > 3
    > "the value on the querystring can easily be encrypted and serverside
    > decripted with rot13"
    >
    > VBS Rot13 function:
    >
    > Function ROT13(szInput)
    > coding = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM"
    > coding = coding & lcase(coding)
    >
    > For i = 1 To Len(szInput)
    > character = Mid(szInput, i, 1)
    > position = InStr(coding, character)
    > If position > 0 Then character = Mid(coding, position + 13, 1)
    > txt = txt & character
    > Next
    > ROT13 = txt
    > End Function


    I disagree with all the three answers. Imagine yourself in the OP's
    position. He obviously knows Request variables can be tampered to look at
    data which isnt supposed to be displayed. Somone has suggested encrypting
    the querystring ( which is one of the best ways of securing the data). You
    are advising him to use a publicly available algorithm which can be hacked
    by any kid. Also your advice of using request.form is misleading him into
    thinking its secure. It might hide the variable from displaying on the URL
    bar but ITS NOT SECURE and so should not be used as an alternative.
     
    VK, Jul 15, 2003
    #5
  6. Jawahar Rajan

    MN Guest

    "Jawahar Rajan" <> wrote in message news:<o1PQa.233573$>...
    > All,
    > 1) When using the QueryString of the request object the actual values are
    > exposed to the viewer of the site and often user pickup on these values and
    > start changing them . This can lead user to see data that they are not
    > supposed to or even data that may be erroneous.
    > Is there an easy way to encrypt the querystring values that get displayed on
    > the location bar / other than not using querystring.


    I try not to pass any variables through the querystring where possible
    because people will mess with them. When I must I also pass a
    checksum, this way I can tell if anyone has been tampering.

    I use this code
    http://www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4&txtCodeId=7219
    so when I create the QS in ASP It goes...
    <a href="something.asp?somekey=<%=myKey%>&somekeyCRC=<%=CalculateCRC(myKey)%>">

    When I get to the target page I check the value against the CRC like
    so
    if (CalculateCRC(request.querystring("somekey")) <>
    request.querystring("somekeyCRC")) then
    response.redirect("naughtynaughty.asp")
    end if

    > 2) Can I use java script to disable the status bar, at the bottom of the
    > page to not expose the URL's of various links on a page? (I know this is
    > probably a JavaScript question.)


    Yes you can. Add this code into your <a> tag
    onMouseOver="(window.status='whatever you like');return true;"
    onMouseOut="(window.status='');return true;"

    > Any help or suggestions are always welcome.


    Never eat yellow snow!
     
    MN, Jul 17, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt
    Replies:
    0
    Views:
    3,551
  2. John Hann
    Replies:
    0
    Views:
    6,085
    John Hann
    Aug 21, 2004
  3. Matt
    Replies:
    9
    Views:
    70,863
  4. Matt
    Replies:
    9
    Views:
    550
    kaeli
    Aug 23, 2004
  5. topmind
    Replies:
    1
    Views:
    344
    Bart Van der Donck
    Jul 1, 2006
Loading...

Share This Page