User Saved Safe URL without security risks

By -

Often there is a need to have a url like:

https://myhost/AccountStatement.aspx?accountId=0392342&Date=20111109

Unfortunately this opens a security risk. The https protects the page contents but not the URL. The URL is sent as open text. The above URL tempts hackers that may also be users of the system to try enumerating various accountId in the hope that someone has forgotten to check the access permission against the user for each account (A naive assumption is that you don’t know the account number unless you are the owner…).

 

One solution is to put put the data in a post back and thus take it off the URL line – unfortunately it is not friendly because it prevents a user from saving the URL for quick reference.  You can have both friendly and secure by encrypting the arguments.

 

If you use a Membership Provider you have a key that you can use for encrypting, using the user name or host name results in a second key so you can now well encrypt the URL Parameters. I usually just concatenated the URL parameters with tabs between each ordered part to make decomposition using a split easy, i.e. 0392342\t20111109 is what I would encrypt and assign to ?key=

 

The first part is a SALT for which I use the MembershipUser ProviderID, typically a GUID.

Code Snippet
  1. private static byte[] UserSpecificKey
  2. {
  3.     get
  4.     {
  5.         var user = Membership.GetUser();
  6.         if (user == null)
  7.         {
  8.             return Encoding.ASCII.GetBytes("GUEST");
  9.         }
  10.         return Encoding.ASCII.GetBytes(user.ProviderUserKey.ToString());
  11.     }
  12. }

Then I use a standard built in two way encrypt/decrypt and use some other bit of information, for example, the host name (which means that the URL is host specific).

Code Snippet
  1. public static string EncryptStringAES(string plainText)
  2.         {
  3.             if (string.IsNullOrEmpty(plainText))
  4.                 throw new ArgumentNullException("plainText");
  5.             var hostName = HttpContext.Current.Request.Url.DnsSafeHost;
  6.  
  7.             string outStr = null;
  8.             RijndaelManaged aesAlg = null;
  9.  
  10.             try
  11.             {
  12.                 var key = new Rfc2898DeriveBytes(hostName, UserSpecificKey);
  13.                 aesAlg = new RijndaelManaged();
  14.                 aesAlg.Key = key.GetBytes(aesAlg.KeySize / 8);
  15.                 aesAlg.IV = key.GetBytes(aesAlg.BlockSize / 8);
  16.                 var encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
  17.  
  18.                 using (var msEncrypt = new MemoryStream())
  19.                 {
  20.                     using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
  21.                     {
  22.                         using (var swEncrypt = new StreamWriter(csEncrypt))
  23.                         {
  24.                             swEncrypt.Write(plainText);
  25.                         }
  26.                     }
  27.                     outStr = Convert.ToBase64String(msEncrypt.ToArray());
  28.                 }
  29.             }
  30.             finally
  31.             {
  32.                 if (aesAlg != null)
  33.                     aesAlg.Clear();
  34.             }
  35.             return outStr;
  36.         }

and

Code Snippet
  1. public static string DecryptStringAES(string cipherText)
  2. {
  3.     if (string.IsNullOrEmpty(cipherText))
  4.         throw new ArgumentNullException("cipherText");
  5.     var hostName = HttpContext.Current.Request.Url.DnsSafeHost;
  6.     RijndaelManaged aesAlg = null;
  7.     string plaintext = null;
  8.  
  9.     try
  10.     {
  11.         var key = new Rfc2898DeriveBytes(hostName, UserSpecificKey);
  12.         aesAlg = new RijndaelManaged();
  13.         aesAlg.Key = key.GetBytes(aesAlg.KeySize / 8);
  14.         aesAlg.IV = key.GetBytes(aesAlg.BlockSize / 8);
  15.  
  16.         var decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
  17.         byte[] bytes = Convert.FromBase64String(cipherText);
  18.         using (var msDecrypt = new MemoryStream(bytes))
  19.         {
  20.             using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
  21.             {
  22.                 using (var srDecrypt = new StreamReader(csDecrypt))
  23.                     plaintext = srDecrypt.ReadToEnd();
  24.             }
  25.         }
  26.     }
  27.     finally
  28.     {
  29.         if (aesAlg != null)
  30.             aesAlg.Clear();
  31.     }
  32.     return plaintext;
  33. }

 

The user can now save the URLs,  they will be directed to the login page (if not logged in) and then redirected to the page they saved. There is no ability for anyone to go fishing. If someone on the same computer finds the saved link, they will be asked for a login (they may be a valid user of the system) but the page will NOT grant them access to the data since it will fail to decode the parameters.

 

Someone searching the browser history will not find any information that is exploitable. A room mate with your wallet can’t call up and say “Hi, my name is Jack Smith, Account No 0392342 and I want to do a wire transfer, my SSN is…. “ The account number is not available in the browser history.

Comments

Post a Comment

Popular posts from this blog

Yet once more into the breech (of altered programming logic)

By -
Once upon a time, long long ago, I wrote 8-bit programs in Tiny-C with absolute addressing being the only reality.  Then we had Borland Turbo-C with relative addresses and the joys of relative assembly jumps. Enter Windows and the joys of locking and unlocking memory blocks that you must allocated and manage yourself. Then came Visual Basic which evolved into .Net CLR and decreasing awareness of what is happening under the hood.   With VS2010 including F# and enhanced parallelism in .Net4, we actually have to go retro a bit – back to the world of having to understand the hardware. CPU speeds are no longer increasing – I have an old laptop from six+ years ago that ran at 3.2 GHz. This year I updated one of my machines off-the-shelf from Costco.com, an I7-920 with 4 cores and hyper-threading (8 CPUs appears in Task Manager) and 12 GB of DDR3 RAM. This week I ordered from Costco a Phenom II X6 (Yes – 6 REAL CORES) for one of my daughters.  This CPU will (according to YouTube demos) o
Read more

Simple WP7 Mango App for Background Tasks, Toast, and Tiles: Code Explanation

By -
Image
This is a continuation of this post , explaining how the sample app works. Caution : This sample isn’t meant as an example of best patterns and practices. If you see something in the code you would never do, then don’t. Solution File Organization The app has three Visual Studio Projects: the app, the agent, and the shared code library between them. One of the great things about Mango is that now the built-in Visual Studio Unit test functionality is available. By separating out the meat of the work into the SampleShared project, I can also focus my unit testing there. SampleApp1 The app has a MainPage, a ViewModel, and the WMAppManifest.xml file modified to note my ExtendedTask of BackgroundServiceAgent. The Agent is extremely simple with a call to the shared library, an update to the Tile, and a call to pop up Toast. The meat of the work is in the SampleShared library. The AgentMgr manages the background agent : add, remove, find, run now. It is only called f
Read more

How to convert SVG data to a Png Image file Using InkScape

By -
Image
Introduction The project required the need to put the visual pie chart on a web page on the client and in a Pdf file created on the server. I eventually choose to use a Telerik Kendo DataViz Chart control on the client, and use a PNG file on the server for the Pdf file. This blog post will explain the process and code to convert the client-side pie chart Svg data to a Png file, and provide a download to the working code. Prerequisites You need to have a trial version of the Telerik Kendo library installed in order to make the sample code work. You also need InkScape installed. InkScape is the application that does the actual conversion. You will need to change the Web.config appSetting of “ExeDirectoryForInkscape” to represent your own installation location. Any SVG Data Will Work The pie chart was created using the Telerik Kendo DataViz chart control. While I name a specific control, as long as you have access to the SVG data, the same conversion process on the server will
Read more