Geeks With Blogs

Scott Kuhl Warning: I may have no idea what I am talking about!

The new 4GuysFromRolla article deals with a web security issue that can happen when users try changing query string parameters manually.

With Web applications there are, possible, an infinite number of ways that the application can be invoked. With a Web application, each Web page serves as a public interface to the Web applications, and for Web pages whose functionality is based on user-supplied parameters (i.e., querystring or form-posted values) each potential input represents a unique interface.

Having a potentially unlimited number of public interfaces greatly increases the complexity and forethought required in building secure and consistent Web applications. Since URLs can easily be changed by even the most novice user, it is paramount that you do not place any state information in the querystring that you do not mind the user change, or, if you do, you need to validate in the web page's code to ensure that the user has not modified the querystring to an unacceptable state.

Posted on Wednesday, August 31, 2005 12:27 PM ASP.NET | Back to top

Comments on this post: Creating Tamper-Proof URLs

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Scott Kuhl | Powered by: