Is ASP.NET Request.QueryString secure?

[Guest]

I can't decide what level of risk we are taking by using ASP.NET
Request.QueryString. We have a web page that will have an data "posted" to
it by partner company. The data is passed via the QueryString and taken in
by the page using Request.QueryString in the ASP.NET code behind. This page
is not going to be used by people and after the data is finished processing,
the page redirects.

The page is HTTPS. My worry is that if someone could stop the page while it
is processing, they could look at the URL to get all the data out of it. Can
anyone tell me if there is a better way to do this? i.e. another ASP.NET
code piece?

Thanks,
Kevin Rose

 

[agapeton]

Anything that a browser can read is theoretically fair game to a user.
You can't "hide" anything in it really as there will always be someone
who will know how to read it as well as the browser itself can. HTTPS
is for protecting against other people, not the user. Never let the
browesr see anything you don't want the user to see. In fact, don't
differentiate between the browser and the user. It's just the "end
node" you are talking about.

 

[James Doughty]

The option I would go with would see if the partner company woud be willing
to use a webservice you create. They could then do a post to your
webservice from their site to you and then do a redirect to the finshed
processing page.

 

[Guest]

I can't decide what level of risk we are taking by using ASP.NET
Request.QueryString. We have a web page that will have an data
"posted" to it by partner company. The data is passed via the
QueryString and taken in by the page using Request.QueryString in the
ASP.NET code behind. This page is not going to be used by people and
after the data is finished processing, the page redirects.

The page is HTTPS. My worry is that if someone could stop the page
while it is processing, they could look at the URL to get all the data
out of it. Can anyone tell me if there is a better way to do this?
i.e. another ASP.NET code piece?

Web Services would be a better way. If web services is out of the
question, perhaps the partner site can post the information in the
background rather than using the client's browser.

So...

Client -- Send Request --> Partner --> Partner Transmits --> Your Site

This way the end user never sees the request processing.

A bit more secure, but still "hackable" (you could add an additional
layer of security by using authentication, cookies, tokens, etc).

 

[Joerg Jooss]

I can't decide what level of risk we are taking by using ASP.NET
Request.QueryString. We have a web page that will have an data
"posted" to it by partner company. The data is passed via the
QueryString and taken in by the page using Request.QueryString in the
ASP.NET code behind. This page is not going to be used by people and
after the data is finished processing, the page redirects.

The page is HTTPS. My worry is that if someone could stop the page
while it is processing, they could look at the URL to get all the
data out of it. Can anyone tell me if there is a better way to do
this? i.e. another ASP.NET code piece?

The question is whether you can do any harm by tinkering with query
string details. If for example the query string contains actual
database keys, and simply incrementing or decrementing such values
allow one to browse your database, that *is* dangerous.

Cheers,