I want to encrypt the Id part of a given url and I used SHA-1 for that. This algorithm convert the id to the following string:
NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8=|h1bCRiN5zxexiIhHp+qNEQ0jVh/8fMGiIkeTf30LVdU=
Therefore, my final url would be something like this:
http://localhost:9432/Product/Edit/NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8=|h1bCRiN5zxexiIhHp+qNEQ0jVh/8fMGiIkeTf30LVdU=
This url has some character which cause the request fail. For example ‘+’ is not allowed in url. So I used HttpUtility.UrlEncode()
on the encrypted Id and got this string as a result:
NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8%3d%7ch1bCRiN5zxexiIhHp%2bqNEQ0jVh%2f8fMGiIkeTf30LVdU%3d
Now my url is:
http://localhost:9432/Product/Edit/NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8%3d%7ch1bCRiN5zxexiIhHp%2bqNEQ0jVh%2f8fMGiIkeTf30LVdU%3d
However using the above url cause the following error:
The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.
I can ignore that by inserting the below code in web.config:
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
Now I have two questions:
Why the result of HttpUtility.UrlEncode()
causes any kind of error. As I noticed, the result of that doesn’t contain any illegal character for a url?
As I understood putting <requestFiltering allowDoubleEscaping="true" />
is not a good solution, since it will create a security hole in the application, so what would be the best solution in this case?
the result of HttpUtility.UrlEncode() doesn't contain errors, it is just encoding the + sign with will be detected on IIS level. IIS rejects "+" in URLs by default. Your work around will work:
<requestFiltering allowDoubleEscaping="true" />
but as you said, it will create some security problems because this makes your site more vulnerable to malicious URLs.
What i suggest, either you use another encryption algorithm that doesn't generate these "IIS" sensetive characters, or if you wanna use the above workaround, you need to implement proper URL/User-Input validations in order to make sure that you catch and prevent all suspecious entries.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With