Secure query string parameters

Question

I have an application which use the Thick box jQuery component to open a popup page .

And I pass my parameters in query string like this :

 <a id="btnShowPopup6" runat="server" class="thickbox" href='<%#"RollUp.aspx?TCode="+Eval("Code")+"...."+"&AR=1"+"&TBiframe=true&height=530&width=750"%>'>

This 's the only choice I have, I can't use session variables with this method or post parameters so just the query string way.

How can I secure my query string so the user can't play with them? What's the best way to encrypt my query string?

set of important parameters which according to them get specific documents so if the user play with these parameters he can get other documents. — Anyname Donotcare, Dec 19 '12 at 14:26
No, you have an `Eval()` call in there. What's that for? Are you putting user parameters into an eval? — Polynomial, Dec 19 '12 at 14:35
yes this `Eval()` comes from grid view data source ,when the user click on the link above it goes to the `RollUp.aspx` with these eval parameters . — Anyname Donotcare, Dec 19 '12 at 14:37
hmm , Could u help me please to secure my data ? the optimum solution is to use sessions i know but what about the alternatives , i don't want to make major changes now . — Anyname Donotcare, Dec 19 '12 at 14:42

Polynomial · Accepted Answer · 2012-12-19T15:12:07.013

5

Putting user-provided values into an eval() call is a horrible idea, because it essentially amounts to a remote code execution vulnerability. Let's say your code looks like this...

var data = eval(webRequest.Parameters["p"]);

Now imagine I put this into the p parameter...

System.IO.File.Delete(@"c:\windows\system32\ntoskrnl.exe");

Whoops! I just deleted your kernel.

No amount of messing around with escaping will work here - it's a fundamentally broken concept.

Encrypting parameters does nothing but complicate things. Go for the correct approach, and use a session variable like the language is designed to do.

Update: To be clear, I'm talking about eval() in a generic sense. If you're using the Eval binding method on a data controller in C#, you should be OK as long as no user parameters go in there, otherwise they can cause your code to dump out arbitrary values from your database, without even needing SQL injection.

edited Dec 19 '12 at 15:12

answered Dec 19 '12 at 14:45

Polynomial

132,208
43
298
379

okay thanks s lot , but when to use `Eval()` expression – Anyname Donotcare Dec 19 '12 at 14:56
1

Never. Avoid it like the plague. It's the security equivalent of `goto`. – Polynomial Dec 19 '12 at 14:56
even if i want to use a template field and get the value from the gridview datasource ? – Anyname Donotcare Dec 19 '12 at 14:57
Like this : `` Or `` http://msdn.microsoft.com/en-us/library/bb288032.aspx – Anyname Donotcare Dec 19 '12 at 15:02
1

Is this Eval a method of an object? I'm not familiar with ASP.NET (I'm a WinForms guy) - it *may* be ok if you're using it to bind to a data controller, but not if you accept user supplied values into your `eval` parameter. – Polynomial Dec 19 '12 at 15:10
yeah it's used to just bind advanced controls like grid view or list view . – Anyname Donotcare Dec 19 '12 at 15:12
1

See my updated answer. – Polynomial Dec 19 '12 at 15:12
`but not if you accept user supplied values into your eval parameter.` Please more explanation to this sentence – Anyname Donotcare Dec 19 '12 at 15:13
1

Let's say you do `dc.Eval(webRequest.Parameters["p"])` - I can pass any column name into `p` and your code will give me the contents of that column. This is a **bad idea**, especially when doing JOINs onto user tables, because it essentially amounts to an SQL injection. – Polynomial Dec 19 '12 at 15:15
yeah i see, Did u mean i can't depend on those values for example to delete row ? – Anyname Donotcare Dec 19 '12 at 15:17
1

Absolutely not. Doing so would constitute a [direct object reference bug](https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference). – Polynomial Dec 19 '12 at 15:21

Secure query string parameters

1 Answers1

Linked