Encrypit the query string value in location bar /Status bar idsplay

[Jawahar Rajan]

All,
1) When using the QueryString of the request object the actual values are
exposed to the viewer of the site and often user pickup on these values and
start changing them . This can lead user to see data that they are not
supposed to or even data that may be erroneous.
Is there an easy way to encrypt the querystring values that get displayed on
the location bar / other than not using querystring.

2) Can I use java script to disable the status bar, at the bottom of the
page to not expose the URL's of various links on a page? (I know this is
probably a JavaScript question.)

Any help or suggestions are always welcome.

Jawahar

 

[Evertjan.]

Hi, Jawahar,

Jawahar Rajan wrote on 15 jul 2003 in
microsoft.public.inetserver.asp.general:

1) When using the QueryString of the request object the actual values
are exposed to the viewer of the site and often user pickup on these
values and start changing them . This can lead user to see data that
they are not supposed to or even data that may be erroneous.
Is there an easy way to encrypt the querystring values that get
displayed on the location bar / other than not using querystring.

use form/post, and catch that with

2) Can I use java script to disable the status bar, at the bottom
of the page to not expose the URL's of various links on a page?

No, this is only settable by the user, as it should be.
It is not the right of the web programmer to interfere withe the rights
of the user.

(I know this is probably a JavaScript question.)

It does not matter if it is a js or vbs question, as ASP can support
both.

It is a clientside, and not a serverside question.

 

[Evertjan.]

VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:

So would that make the whole process secure ??

Not at all. Who was talking about secure?
Why would you want to make things secure from the user.

I just answered the question how not to see the querystring in the
adressbar.

 

[Evertjan.]

VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:

The OP question was
"Is there an easy way to encrypt the querystring values that get
displayed on
the location bar / other than not using querystring."
And You suggested using "request.form" and so i had to question how
it was secure.

Sure, but how would you encrypt something by not using it?

I tried to explain this was not possible, implicitly thinking that we
were talking <a href="/file.asp?qwert=7">, but security did not come
into it.

btw:

Perhaps the answer should have been:

1
"By submitting a form method=query the querystring is not seen on the
status bar."

or

2
"By using <span onclick="/file.asp?qwerty=7"> the querystring is not seen
on the status bar."

or

3
"the value on the querystring can easily be encrypted and serverside
decripted with rot13"

VBS Rot13 function:

Function ROT13(szInput)
coding = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM"
coding = coding & lcase(coding)

For i = 1 To Len(szInput)
character = Mid(szInput, i, 1)
position = InStr(coding, character)
If position > 0 Then character = Mid(coding, position + 13, 1)
txt = txt & character
Next
ROT13 = txt
End Function

 

[VK]

VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:


Sure, but how would you encrypt something by not using it?

I tried to explain this was not possible, implicitly thinking that we
were talking <a href="/file.asp?qwert=7">, but security did not come
into it.

btw:

Perhaps the answer should have been:

1
"By submitting a form method=query the querystring is not seen on the
status bar."

or

2
"By using <span onclick="/file.asp?qwerty=7"> the querystring is not
seen on the status bar."

or

3
"the value on the querystring can easily be encrypted and serverside
decripted with rot13"

VBS Rot13 function:

Function ROT13(szInput)
coding = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM"
coding = coding & lcase(coding)

For i = 1 To Len(szInput)
character = Mid(szInput, i, 1)
position = InStr(coding, character)
If position > 0 Then character = Mid(coding, position + 13, 1)
txt = txt & character
Next
ROT13 = txt
End Function

I disagree with all the three answers. Imagine yourself in the OP's
position. He obviously knows Request variables can be tampered to look at
data which isnt supposed to be displayed. Somone has suggested encrypting
the querystring ( which is one of the best ways of securing the data). You
are advising him to use a publicly available algorithm which can be hacked
by any kid. Also your advice of using request.form is misleading him into
thinking its secure. It might hide the variable from displaying on the URL
bar but ITS NOT SECURE and so should not be used as an alternative.

 

[MN]

All,
1) When using the QueryString of the request object the actual values are
exposed to the viewer of the site and often user pickup on these values and
start changing them . This can lead user to see data that they are not
supposed to or even data that may be erroneous.
Is there an easy way to encrypt the querystring values that get displayed on
the location bar / other than not using querystring.

I try not to pass any variables through the querystring where possible
because people will mess with them. When I must I also pass a
checksum, this way I can tell if anyone has been tampering.

I use this code
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4&txtCodeId=7219
so when I create the QS in ASP It goes...
<a href="something.asp?somekey=<%=myKey%>&somekeyCRC=<%=CalculateCRC(myKey)%>">

When I get to the target page I check the value against the CRC like
so
if (CalculateCRC(request.querystring("somekey")) <>
request.querystring("somekeyCRC")) then
response.redirect("naughtynaughty.asp")
end if

2) Can I use java script to disable the status bar, at the bottom of the
page to not expose the URL's of various links on a page? (I know this is
probably a JavaScript question.)

Yes you can. Add this code into your <a> tag
onMouseOver="(window.status='whatever you like');return true;"
onMouseOut="(window.status='');return true;"

Any help or suggestions are always welcome.

Never eat yellow snow!