Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP MVC Url Encode double escape sequence

Tags:

c#

encode

asp.net-mvc

I want to encrypt the Id part of a given url and I used SHA-1 for that. This algorithm convert the id to the following string:

NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8=|h1bCRiN5zxexiIhHp+qNEQ0jVh/8fMGiIkeTf30LVdU=

Therefore, my final url would be something like this:

http://localhost:9432/Product/Edit/NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8=|h1bCRiN5zxexiIhHp+qNEQ0jVh/8fMGiIkeTf30LVdU=

This url has some character which cause the request fail. For example ‘+’ is not allowed in url. So I used HttpUtility.UrlEncode() on the encrypted Id and got this string as a result:

NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8%3d%7ch1bCRiN5zxexiIhHp%2bqNEQ0jVh%2f8fMGiIkeTf30LVdU%3d

Now my url is:

http://localhost:9432/Product/Edit/NxVhIhrfbZNzyxqtudUZdiv4DdQA9nF1Zn7CueGUiT8%3d%7ch1bCRiN5zxexiIhHp%2bqNEQ0jVh%2f8fMGiIkeTf30LVdU%3d

However using the above url cause the following error:

The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.

I can ignore that by inserting the below code in web.config:

<system.webServer>
   <security>
      <requestFiltering allowDoubleEscaping="true" />
   </security>
</system.webServer>

Now I have two questions:

  1. Why the result of HttpUtility.UrlEncode() causes any kind of error. As I noticed, the result of that doesn’t contain any illegal character for a url?

  2. As I understood putting <requestFiltering allowDoubleEscaping="true" /> is not a good solution, since it will create a security hole in the application, so what would be the best solution in this case?

like image 835
mohammad Avatar asked Aug 07 '17 06:08

mohammad

1 Answers

the result of HttpUtility.UrlEncode() doesn't contain errors, it is just encoding the + sign with will be detected on IIS level. IIS rejects "+" in URLs by default. Your work around will work:

<requestFiltering allowDoubleEscaping="true" />

but as you said, it will create some security problems because this makes your site more vulnerable to malicious URLs.

What i suggest, either you use another encryption algorithm that doesn't generate these "IIS" sensetive characters, or if you wanna use the above workaround, you need to implement proper URL/User-Input validations in order to make sure that you catch and prevent all suspecious entries.

like image 97
alaa_sayegh Avatar answered Oct 15 '22 23:10

alaa_sayegh
Sign in to Comment

Related questions

Converting OwinHttpRequestContext to HttpContext? (IHttpHandler and websockets)
Are extension methods for interfaces treated as lower priority than less specific ones?
The name '$exception' does not exist in the current context
Data Annotation for column width
Positioning of Axis Label in a DateTimeAxis
WPF - create ProgressBar template from PSD file
WCF Restful returning HttpResponseMessage wants to negotiate when setting content
Synaptics SDK can't find device
ODBC Connection to Excel error
Atomic AddOrUpdate for a C# Dictionary
How can I find the audio format of the selected voice of the SpeechSynthesizer
Slow application startup using ClickOnce deployment
Visual Studio error: "The debugger cannot unwind to this frame." on any exceptions
ListView Creator called but no other methods
Curious slowness of EF vs SQL
Refreshing Sql Connection Azure AD access token inside long-lived Entity Framework Context
Create UserControl in non-UI thread Silverlight 5 browser application
What is a suitable pattern for injecting loggers within dynamically-discovered .NET Core class libraries called from ASP.NET Core web apps?
COM+ activation on a remote server with partitions in C#
How can Decimal.Round() throw OverflowException

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!