Prevent query string manipulation by adding a hash?

Posted by saille on Stack Overflow See other posts from Stack Overflow or by saille
Published on 2009-06-29T23:49:41Z Indexed on 2010/03/26 12:03 UTC
Read the original article Hit count: 320

Filed under:

ASP.NET

|

querystring

|

hash

|

security

To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request.

Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this?

I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments.

This is an ASP.NET application.

© Stack Overflow or respective owner

Related posts about ASP.NET

Migrating ASP.NET MVC 1.0 applications to ASP.NET MVC 2 RTM

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Note: ASP.NET MVC 2 RTM isn’t yet released! But this tool will help you get your ASP.NET MVC 1.0 applications ready for when it is! I have updated the MVC App Converter to convert projects from ASP.NET MVC 1.0 to ASP.NET MVC 2 RTM. This should be last the last major change to the MVC App Converter… >>> More
April 14th Links: ASP.NET, ASP.NET MVC, ASP.NET Web API and Visual Studio

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Here is the latest in my link-listing blog series: ASP.NET Easily overlooked features in VS 11 Express for Web: Good post by Scott Hanselman that highlights a bunch of easily overlooked improvements that are coming to VS 11 (and specifically the free express editions) for web development: unit… >>> More
Use ASP.NET 4 Browser Definitions with ASP.NET 3.5

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
We updated the browser definitions files included with ASP.NET 4 to include information on recent browsers and devices such as Google Chrome and the iPhone. You can use these browser definition files with earlier versions of ASP.NET such as ASP.NET 3 Read More......(read more) >>> More
ASP.NET webforms + ASP.NET Ajax versus ASP.NET MVC and Ajax framework freedom

as seen on Stack Overflow - Search for 'Stack Overflow'
If given the choice, which path would you take? ASP.NET Webforms + ASP.NET AJAX or ASP.NET MVC + JavaScript Framework of your Choice Are there any limitations that ASP.NET Webforms / ASP.NET AJAX has vis-a-vis MVC? >>> More
ASP.NET MVC 2 Released

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
I’m happy to announce that the final release of ASP.NET MVC 2 is now available for VS 2008/Visual Web Developer 2008 Express with ASP.NET 3.5. You can download and install it from the following locations: Download ASP.NET MVC 2 using the Microsoft Web Platform Installer Download… >>> More

Related posts about querystring

Redirect from URL with QueryString to the same URL without QueryString

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a page request with a QueryString, say http://www.xyz.net/Orders.aspx?OrderID=1. The page is displayed in a browser. Now there is an asp:LinkButton on the page which should enable the user to open the page without the QueryString (as if he had entered http://www.xyz.net/Orders.aspx directly… >>> More
Querystring causes IE to show error

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a problem when I send IE to the following location: http://fdvweb.mal/db/historikk/db_historikk_liste.asp?SQLfilter=SELECT TaKompHistorikk.*, TaKomponent.KompNummer, TaKomponent.KompNavn, TaKomponent.KompPlassering FROM TaKomponent RIGHT OUTER JOIN TaKompHistorikk ON [TaKomponent].[KompId]=[TaKompHistorikk]… >>> More
Understanding Request Validation in ASP.NET MVC 3

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Introduction: A fact that you must always remember "never ever trust user inputs". An application that trusts user inputs may be easily vulnerable to XSS, XSRF, SQL Injection, etc attacks. XSS and XSRF are… >>> More
C# XBAP QueryString (BrowserInteropHelper.Source.Query) Above 2080 Characters Problem

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm passing a very long argument string to a C# XBAP application, and I'm using the BrowserInteropHelper.Source.Query method to read the argument string. But, for some reason, everytime the string for the arguments goes about 2080 characters, the application fails. Have I exceeded the maximum length… >>> More
JMeter to grab full querystring into a variable for future use

as seen on Stack Overflow - Search for 'Stack Overflow'
Someone provided me the regex to parse out a query string: (?<=\?)[^?]+$ I am trying to use that in JMeter with no luck (although I am successful in pulling out individual query string parameter values based on various example postings on the web). I created a regular expression extractor called… >>> More