-1

I have a situation wherein I need to encrypt a query string in JS so that it becomes unreadable and decrypt in a Generic Handler. Can you gimme some links for this ?

Can you suggest some other method to this?

I've seen the method applied to a lot of sites

www.somesite.com/SomeHandler.ashx?QueryStringData=ghsgysghetwRFDTVW5632

krishwader
  • 11,341
  • 1
  • 34
  • 51
  • 2
    I hope you’re aware that when the client should encrypt the data, he does also have the plain text. – Gumbo May 13 '12 at 15:38
  • 1
    "Unreadable" does not mean "encrypted." – Matt Ball May 13 '12 at 15:39
  • i got links saying i must use post instead of get..but since im using ajax to call the handler and not a form to post data im clueless – krishwader May 13 '12 at 15:47
  • @krishna why do you want it obfuscated anyway? what kind of data are you trying to pass? – Joseph May 13 '12 at 16:26
  • @Joseph - the query string passes data to the handler which is highly important. HttpWatch reveals the data which the query string sends. i want to know if this "obfuscation" will make the data look unreadable if someone tries to hack the system. – krishwader May 13 '12 at 16:32

2 Answers2

1

If you need to transmit sensitive data over a potentially insecure network (such as a public WiFi access point), use HTTPS. It takes care of encrypting the data, and, more importantly, also ensures that other parts of the communication (such as JavaScript code sent from the server) are not tampered with.

If you don't use HTTPS, doing any sort of encryption in JavaScript will always be insecure, since a middle-man attacker can just modify the script sent to the browser. If you do use HTTPS, there's generally no need to do crypto in JavaScript, since the transport layer already encrypts all data sent to and from the server.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
  • are there any links, "how to's",etc to make my page use https?? in my case my page makes as ajax call to a number of handlers..will those query strings be encrypted if i make the page (from which the ajax call originates) use https? – krishwader May 13 '12 at 17:22
  • It depends on what web server you're using, but just [searching on Google](https://www.google.com/search?q=how+to+set+up+https) might get you started. Also, once you've got basic HTTPS working, [read this](https://www.eff.org/https-everywhere/deploying-https). – Ilmari Karonen May 13 '12 at 17:28
0

Your approach is generally insecure. You should never expose a general purpose SQL interface via web interface.

If you only want to execute certain SQL commands implement them on server side and only extract the required parameters from the URL. Everything else will result in a direct SQL injection interface of your database.

Robert
  • 39,162
  • 17
  • 99
  • 152