How to scramble URL in IIS seamlessly irrespective of the application hosted
I want that the URL displayed in the Browser should be scrambled for the user (So they cannot just change a number/string to try to get access to another record in website).
I wanted to do this URL scrambling using IIS transparently and not the hosted application.
Is there any way to do that?
I wanted to do this URL scrambling using IIS transparently and not the hosted application.
Is there any way to do that?
Dave Baldwin
Probably not. Applications normally take care of encoding/decoding their own data.
So you have a URL with a parameter like...
www.mydomain.com/display.aspx?record=123&data=abc
...and you don't want people to just plug random info into the parameters to pull up data they shouldn't see. You have a couple options:
1) Make people authenticate. That is, check to see if the user has given a valid username/password for that session, and only let them see records they're allowed to, or
2) Cypher the parameters. Perform some bit-shifting, or obfuscation so that the value in the URL does not actually represent a correlation to data in your database. It's still possible for people to guess a correct value for your parameter(s), but this greatly reduces the odds of their being successful, or being able to do anything consistent with the data they retrieve.
www.mydomain.com/display.aspx?record=123&data=abc
...and you don't want people to just plug random info into the parameters to pull up data they shouldn't see. You have a couple options:
1) Make people authenticate. That is, check to see if the user has given a valid username/password for that session, and only let them see records they're allowed to, or
2) Cypher the parameters. Perform some bit-shifting, or obfuscation so that the value in the URL does not actually represent a correlation to data in your database. It's still possible for people to guess a correct value for your parameter(s), but this greatly reduces the odds of their being successful, or being able to do anything consistent with the data they retrieve.
About the best you can do in IIS is Rewrite the URL but... the rewrite is dependent on the cs-uri-stem and cs-uri-query components of the originally requested URL. If, as in the example mentioned above, your URL is:
http://www.mydomain.com/display.aspx?record=123&data=abc
what can be done is that you rewrite the URL to remove the query string portion of the URL. Using the URL Rewrite feature of IIS, you can rewrite the URL to display as:
http://www.mydomain.com/display/123/abc/
In order to completely randomize your URLs to obfuscate query string hacking, you'll need to code a solution. There are plenty of examples available when searching.
Example: http://minimalistcoder.blogspot.de/2009/01/obfuscating-querystring-parameters.html
So, the direct answer is what has been mentioned by both Dave & Paul... not doable transparently in IIS but it must be done at the application.
Dan
http://www.mydomain.com/display.aspx?record=123&data=abc
what can be done is that you rewrite the URL to remove the query string portion of the URL. Using the URL Rewrite feature of IIS, you can rewrite the URL to display as:
http://www.mydomain.com/display/123/abc/
In order to completely randomize your URLs to obfuscate query string hacking, you'll need to code a solution. There are plenty of examples available when searching.
Example: http://minimalistcoder.blogspot.de/2009/01/obfuscating-querystring-parameters.html
So, the direct answer is what has been mentioned by both Dave & Paul... not doable transparently in IIS but it must be done at the application.
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.