RC 's Code Snippets: QueryString Encryptor HTTPModule

I wrote an HttpModule that Encrypts querystrings. This module is seamless to the web developer. You can create html that looks like this: myPage.aspx?id=1&customer=2 and the source on the client will automatically be converted to this: myPage.aspx?eqs=KS%2bthrckechBKT%2bZ8IB44Bz3qvW3853f. Then to access the value in the code behind page you would use QueryString["id"] or QueryString["customer"].

To install it add QSHttpModules.dll to your bin directory and then add the following to your web.config (any where in <system.web>):

</httpModules>

The module does this by finding the links and replacing them with the encrypted version as the page is sent out to the client. Then on every request the module looks for an encrypted querystring, if found it decrypts it and rewrites the url.

The code is listed below, but you can also download it from my message board at: http://csharpboard.com/ShowPost.aspx?PostID=44. This module of course takes some overhead to process and it is not recommended to be used as a full security feature. Rights checking should always be in place. But, if a little cpu time is worth hiding the contents of your querystring, this may be for you.

As always, use at your own risk.

Code:

using System;
using System.Web;
using System.Text;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
using System.IO;

namespace QSHttpModules
{
    // <summary>
    // HttpModule QueryStringEncryptor: Encrypts all querystrings for aspx pages
    // before the content is sent to the client. It also decrypts and rewrites the url
    // when the request is sent back so that querystring encryption is seamless to the
    // web developer.
    // </summary>
    public class QueryStringEncryptor : System.Web.IHttpModule
    {
        public QueryStringEncryptor(){}
        public String ModuleName { get { return "QueryStringEncryptor"; } }
        public void Dispose() {}

public void Init(HttpApplication application)
        {
            application.BeginRequest += new EventHandler(this.Application_BeginRequest);
        }

private void Application_BeginRequest(object source, EventArgs e)
        {
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;

application.Response.Filter = new QueryStringResponseFilter(application.Response.Filter, application.Server);

if(context.Request.QueryString["eqs"] != null && context.Request.QueryString["eqs"] != string.Empty)
            {
                QueryStringCrypto qsc = new QueryStringCrypto();

context.RewritePath(context.Request.FilePath,
                    context.Request.PathInfo,
                    qsc.Decrypt(context.Request.QueryString["eqs"]));
            }
        }
                        
    } //QueryStringEncryptor

// <summary>
    // QueryStringResponseFilter rewrites the querystring with the encrypted version before
    // it is sent to the client.
    // </summary>
    public class QueryStringResponseFilter : Stream
    {
        private Regex validUrlRegex;
        private Stream responseStream;
        private long position;
        private StringBuilder html = new StringBuilder();
        private QueryStringCrypto qsc;
        private HttpServerUtility serverUtil;

public QueryStringResponseFilter(Stream inputStream, HttpServerUtility server)
        {
            responseStream = inputStream;
            serverUtil = server;
            qsc = new QueryStringCrypto();

validUrlRegex = new Regex(
                "\\b(https?|ftp|file)://[-A-Z0-9+&@#/%?=~_|!:,.;]*[-A-Z0-9+&@#/%=~_|]",
                RegexOptions.IgnoreCase);
        }
 
        public override bool CanRead {get { return true; }}
        public override bool CanSeek {get { return true; }}
        public override bool CanWrite {get { return true; }}
        public override void Close() {responseStream.Close();}
        public override void Flush() {responseStream.Flush();}
        public override long Length {get { return 0; }}

public override long Position
        {
            get { return position; }
            set { position = value; }
        }

public override long Seek(long offset, System.IO.SeekOrigin direction)
        {
            return responseStream.Seek(offset, direction);
        }

public override void SetLength(long length)
        {
            responseStream.SetLength(length);
        }

public override int Read(byte[] buffer, int offset, int count)
        {
            return responseStream.Read(buffer, offset, count);
        }
 
        public override void Write(byte[] buffer, int offset, int count)
        {
            string sBuffer = System.Text.UTF8Encoding.UTF8.GetString(buffer, offset, count);

Regex endOfFile = new Regex("</html>", RegexOptions.IgnoreCase);

if (endOfFile.IsMatch(sBuffer))
            {
                html.Append(sBuffer);
                string tempResponse = html.ToString();

MatchCollection aspxPageMatches = Regex.Matches(
                    html.ToString(),
                    "([-A-Z0-9+&@#/%~_|!:,.;]*)?\\.aspx\\?([-A-Z0-9+&@#/%=~_|!:,.;]*)?",
                    RegexOptions.IgnoreCase);

for(int i = 0; i < aspxPageMatches.Count; i++)
                    html.Replace(aspxPageMatches[i].Value, EncryptQueryString(aspxPageMatches[i].Value));

byte[] data = System.Text.UTF8Encoding.UTF8.GetBytes(html.ToString());
                responseStream.Write(data, 0, data.Length);
            }
            else
            {
                html.Append(sBuffer);
            }
        }

private string EncryptQueryString(string link)
        {
            bool isLocal = false;

if(!validUrlRegex.IsMatch(link))
                isLocal = true;
            else
            {
                //Check host
                //Will add in later
            }
            
            if(isLocal)
            {
                string[] linkArray = link.Split(Convert.ToChar("?"));
                return linkArray[0] + "?eqs=" + serverUtil.UrlEncode(qsc.Encrypt(linkArray[1]));
            }
            else
            {
                return link;
            }
        }
    } //QueryStringResponseFilter

// <summary>
    // QueryStringCrypto provides simple DES encruption for the querystring
    // </summary>
    public class QueryStringCrypto
    {
        private string key = "tb~5m_|-";
        private string iv = "'$4>i4fJ";
        private DESCryptoServiceProvider cryptoService;
        private ICryptoTransform encryptor;
        private ICryptoTransform decryptor;

public QueryStringCrypto()
        {
            cryptoService = new DESCryptoServiceProvider();
            cryptoService.Key = ASCIIEncoding.ASCII.GetBytes(key);
            cryptoService.IV = ASCIIEncoding.ASCII.GetBytes(iv);
            encryptor = cryptoService.CreateEncryptor();
            decryptor = cryptoService.CreateDecryptor();
        }

public string Encrypt(string data)
        {
            byte[] bytesIn = ASCIIEncoding.ASCII.GetBytes(data);
            MemoryStream ms = new MemoryStream();
            CryptoStream cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write);
            cs.Write(bytesIn, 0, bytesIn.Length);
            cs.FlushFinalBlock();
            cs.Close();
            byte[] bytesOut = ms.ToArray();
            ms.Close();

return Convert.ToBase64String(bytesOut);
        }

public string Decrypt(string encryptedData)
        {
            string returnValue = string.Empty;
            byte[] bytesIn = Convert.FromBase64String(encryptedData);
            MemoryStream ms = new MemoryStream(bytesIn);
            CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read);
            StreamReader sr = new StreamReader(cs);
            returnValue = sr.ReadToEnd();
            sr.Close();
            ms.Close();
            cs.Close();

return returnValue;
        }
    } //QueryStringCrypto

} //CoopHttpModules

7 Comments:

At 9/08/2004 10:31 PM , Anonymous said...: Dude, this is really tight!
At 1/19/2006 6:27 AM , Roli said...: Hi

The QueryStringEncryptor is very nice and works fine!

But I can't use the QueryStringEncryptor and ASP.NET themes at the same time. I think the problem is the line

application.Response.Filter = new QueryStringResponseFilter(application.Response.Filter, application.Server);

Perhaps themes would applicated by the Framework 2.0 by Response.Filter too?

Has anyother the same problems and a solution for that?

Cu, Roli
At 2/23/2006 10:58 AM , Anonymous said...: change it to the code below, then you should be fine

if(context.Request.Path.ToLower().EndsWith("aspx")) // set the response stream filter only for aspx page
{
application.Response.Filter = new QueryStringResponseFilter(application.Response.Filter, application.Server);
}
At 2/23/2006 11:06 AM , crypto128 said...: Overall it is great. Just there is 2 small bugs I found for this module. If you have "xxxx.aspx?id=1" and "xxxx.aspx?id=11", when you do a string replace in your overrided write, you will get trouble. Also if the page size bigger then buffer size, you will get trouble.

So change it to:

public override void Write(byte[] buffer, int offset, int count)
{
string sBuffer = System.Text.UTF8Encoding.UTF8.GetString(buffer, offset, count);
StringBuilder html = new StringBuilder();

MatchCollection aspxPageMatches = Regex.Matches(
sBuffer,
"([-A-Z0-9+&@#/%~_|!:,.;]*)?\\.(aspx|ashx|axd)\\?([-A-Z0-9+&@#/%=~_|!:,.;]*)?",
RegexOptions.IgnoreCase);

if(aspxPageMatches.Count > 0)
{
html.Append(sBuffer.Substring(0, aspxPageMatches[0].Index));
for(int i = 0; i < aspxPageMatches.Count-1; i++)
{
// StreamWriter sw = new StreamWriter(@"C:\temp\log.txt", true);
// sw.WriteLine(aspxPageMatches[i].Value);
// sw.Flush();
// sw.Close();

html.Append(EncryptQueryString(aspxPageMatches[i].Value));
html.Append(sBuffer.Substring(aspxPageMatches[i].Index + aspxPageMatches[i].Length, aspxPageMatches[i+1].Index - (aspxPageMatches[i].Index + aspxPageMatches[i].Length)));
}
html.Append(EncryptQueryString(aspxPageMatches[aspxPageMatches.Count-1].Value));
html.Append(sBuffer.Substring(aspxPageMatches[aspxPageMatches.Count-1].Index + aspxPageMatches[aspxPageMatches.Count-1].Length, sBuffer.Length - (aspxPageMatches[aspxPageMatches.Count-1].Index + aspxPageMatches[aspxPageMatches.Count-1].Length)));

byte[] data = System.Text.UTF8Encoding.UTF8.GetBytes(html.ToString());
responseStream.Write(data, 0, data.Length);
}
else
{
responseStream.Write(buffer, 0, buffer.Length);
}
}

This works for me.
At 11/14/2006 3:56 PM , marlon said...: It's not working for me. In the view source option is working but not replace the query string in the address bar.
At 2/07/2008 11:35 PM , Anonymous said...: Hi,

This HTTPModule is very nice module for Query String encription.

It takes the manual work involved in encryption, decryption of QS elements.

But, When I use it in my application...CSS styles are not coming. Totally NO STYLES are coming.

Please suggest some point to get ride of this problem.
At 3/13/2008 8:21 PM , Anonymous said...: Doesn't seem to handle Response.Redirect

Links to this post:

<$BlogBacklinkTitle$>: <$BlogBacklinkSnippet$>
<$I18NPostedByBacklinkAuthor$> @ <$BlogBacklinkDateTime$>

Create a Link

<< Home

RC 's Code Snippets

Monday, May 23, 2005

QueryString Encryptor HTTPModule

7 Comments:

Links to this post:

Previous Posts