Prevent query string manipulation by adding a hash?

Question

To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request.

Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this?

I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments.

This is an ASP.NET application.

Answer 1

I'm not sure this provides any sort of security. If a man-in-the-middle attacker wants to change the parameters, all they must do is change the query string and recompute the SHA-1 hash and send that request along to the server.

For example, the URL sent by the browser might be:

http://www.example.com/addUser.html?parameterA=foo&hash=SHA1("parameterA=foo")

If an attacker intercepts this, they can edit it in this way:

http://www.example.com/adduser.html?parameterA=bar&hash=SHA1("parameterA=bar")

Really, this boils down to the fact you can trust the hash only as much as the parameters themselves.

One way you could fix this would be if the user has a password that only they and the server knows, then it would be impossible for the attacker to recompute the hash if they change the parameters. For example:

http://www.example.com/addUser.html?parameterA=foo&hash=SHA1("parameterA=foo"+"theuserpassword")

But don't put the password as one of the parameters in the URL :)

It is important to note that this isn't the state of the art for verifying the integrity of messages passed between two parties. What is used today is a form of the Hash-based Message Authentication Code (HMAC) algorithm, which is pretty well described in HMAC, and definitively in RFC2104 and FIPS Pub 198-1.