在MVC 4 URL加密 [英] Encryption of URL in MVC 4
问题描述
我的工作中的MVC url..such参数加密为
的http:/本地主机:XXXX /电影/编辑/ 1 ,加密参数值1,分配给ID
基本上我跟着正在实施的自定义操作链接,将根据食盐字符串preFIX具有相同的文字encrpyted价值说<$加密 RoutedValueDictionary 值C $ C>加密_ 这样的输出将 Encrypt_dfhwo = 23nbsdkfhskdf 。
这样的网址是
的http:/本地主机:XXXX /电影/编辑/ Encrypt_dfhwo = 23nbsdkfhskdf
实施 DefaultControllerFactory.CreateController ,我检查路由是否与值preFIX开始Encrypt_然后解密的值,然后传递给控制器。
一切工作正常。我看到的问题是,如果黑客操纵URL并更改网址为的http:/本地主机:XXXX /电影/编辑/ 5 (随机数,其匹配的记录在数据库),那么我的控制器将过程中没有任何解密机制的要求。
如何克服这种problem..do你们在这里看到任何潜在的漏洞。
任何建议者居多。
- 什么是你获得通过加密数据库记录?它看起来像值仍然可以重播。
- 如果您只想访问由加密值的记录,之前不是解密它在你的行动,并在你的行动不要让它只需数
- 黑客仍然可以发送随机值,只允许加密的价值,而且还学会了加密他们想要的,也有很多旁路攻击可能性的任何值,你的需求的使用的在这种情况下,加密认证。
- 您应该使用的网址安全基地64,你的例子看起来不像是这种情况。
如果你想要的是一个人不能够随机猜测的记录值,使用高级别加密框架,让你选择少,以减轻加密错误。我移植谷歌的 Keyczar到C#,让C#都会有这样的一个框架。它有认证加密,增加了41个字节到你的加密首部,随机IV和标签,并默认使用网络安全base64。
I am working of encrypting the parameters in MVC url..such as
http:/localhost:xxxx/Movies/Edit/1, encrypting the parameter value 1,assigned to id.
Basically What i followed is implementing the custom Action link which will encrypt the RoutedValueDictionary values based on salt string and prefix the encrpyted value with same text say Encrypt_ so output would be Encrypt_dfhwo=23nbsdkfhskdf.
so url would be
http:/localhost:xxxx/Movies/Edit/Encrypt_dfhwo=23nbsdkfhskdf
Implemented DefaultControllerFactory.CreateController,I am checking if routed values starts with prefix Encrypt_ then decrypt the value and then pass to controller.
Everything is working fine. the problem i see is if hacker manipulate the url and change the url to http:/localhost:xxxx/Movies/Edit/5(random number,which matches the record in database),then my controller will process the request without any decryption mechanism.
How to overcome this problem..do you guys see any potential loop hole here.
Any suggestion are most welcome.
- What are you getting by encrypting the database record? It looks like the value can still be replayed.
- If you only want access to the record by encrypted value, decrypt it in your action not before it, and don't allow it by just the number in your action,
- A hacker can still send random values, with just the encrypted value allowed, and still learn to encrypt any value they want, there are many side channel attack possibilities, you need to use Authenticated Encryption in this case.
- You should use a url-safe base 64, your example doesn't look like that is the case.
If all you want is someone not being able to randomly guess the record value, use a high level encryption framework that gives you fewer choices to lessen encryption mistakes. I ported Google's Keyczar to C#, so that C# would have such a framework. It has authenticated encryption, which adds 41 bytes to your encryption for header, random IV, and tag, and by default uses a web safe base64.
这篇关于在MVC 4 URL加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
