Post
Ask Question

Securing The URL Parameter/Sensitive Data Using .Net Core DataProtectorTokenProvider

Today, Web and data security has become a major concern to most of the enterprises. It is important for Web developers to build websites to secure sensitive data and not expose it to the outside world or unauthorized people. I’m sure as a developer, you may come across URLs where some parameters are passed in the URL to indentify users and other parameters values.
 
For example,
 
 
Now, the question is can we encrypt this id to some non-readable format for the outer world and use it decrypted format for internal within calling code which is finally compiled to some DLL or EXE.
 
For example,
 
 
 
This will surely help us to prevent sensitive data from being misused, let's jump to code snippets in order to understand the development approach, here we will use the inbuilt feature of .NET core DataProtectorTokenProvider. It will take care of encrypting and decrypting our private data (Query Parameter) or any other sensitive data.
 
In .NET Core, each service, middleware, class, and interface handled through dependency injection. this is why DI is used properly using scoped, singleton, transient. let's create a custom class with CustomIDataProtector.cs define the encode and decode methods which will use internally use Protect() and Unprotect() methods of IDataProtector interface.
  1. namespace DemoDecodeURLParameters.Security {  
  2.     public class CustomIDataProtection {  
  3.         private readonly IDataProtector protector;  
  4.         public CustomIDataProtection(IDataProtectionProvider dataProtectionProvider, UniqueCode uniqueCode) {  
  5.             protector = dataProtectionProvider.CreateProtector(uniqueCode.BankIdRouteValue);  
  6.         }  
  7.         public string Decode(string data) {  
  8.             return protector.Protect(data);  
  9.         }  
  10.         public string Encode(string data) {  
  11.             return protector.Unprotect(data);  
  12.         }  
  13.     }  
  14. }  
Register this class in the .NET core DI container. We also added Uniquecode it's your secret key to make additional security we need the same key for protecting and unprotect your sensitive data.
  1. public class UniqueCode {  
  2.     public readonly string BankIdRouteValue = "BankIdRouteValue";  
  3. }  
  4. public void ConfigureServices(IServiceCollection services) {  
  5.     services.AddSingleton < UniqueCode > ();  
  6.     services.AddSingleton < CustomIDataProtection > ();  
  7. }  
Let's use CustomIDataProtection this in .Net core pages
  1. public class IndexModel: PageModel {  
  2.     private readonly CustomIDataProtection protector;  
  3.     public IndexModel(CustomIDataProtection customIDataProtection) {  
  4.         protector = customIDataProtection;  
  5.     }  
  6.     public void OnGet() {  
  7.         DomainModel dm = new DomainModel();  
  8.         dm.BankId = 2020202020;  
  9.         dm.DecodeId = protector.Decode(dm.BankId.ToString());  
  10.         ViewData["BankData"] = dm;  
  11.     }  
  12. }  
Here is an .cshtml file for reference
  1. @page  
  2. @model IndexModel  
  3. @{  
  4.    ViewData["Title"] = "Home page";  
  5.    var bankData = ViewData["BankData"] as DemoDecodeURLParameters.Security.DomainModel;  
  6. }  
  7. <div class="text-center">  
  8.    <h1 class="display-4">Welcome to RTMoney BanK</h1>  
  9.       <p>Learn about <a href="https://docs.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>  
  10.       <div class="card-footer text-center">  
  11.          <b> URL Query Parameter Decode & Encode using IDataProtectionProvider </b> <a asp-page="/Privacy"  
  12.          asp-route-id="@bankData.DecodeId" class="btn btn-primary m-1">View Page</a>  
  13.       </div>  
  14. </div>  
Let's have a look at UI page now
 
 
 
In this screen(Without Data Protection), we have given the View Page(Link Button) button once you click it will redirect to the details Privacy page and pass Id as URL query parameter, you check the same on mouse over that link button and Id is easily visible.
 
 
 
With Data Protection, as you can see now the Id got converted to some non-readable data format as seen on below,
 
 
 
Let's go ahead and click on View Page and read this non-readable format using the encode method and see the results.
 
Here is a code snippet of Privacy.cshtml.cs - as you can see, we are encoding the decoded value passed from URL,
  1. public class PrivacyModel: PageModel {  
  2.     private readonly CustomIDataProtection protector;  
  3.     public PrivacyModel(CustomIDataProtection customIDataProtection) {  
  4.         protector = customIDataProtection;  
  5.     }  
  6.     public void OnGet(string id) {  
  7.         ViewData["BDId"] = protector.Encode(id);  
  8.     }  
  9. }  
Privacy.cshtml content, here we displayed the encoded value: 2020202020
  1. @page  
  2. @model PrivacyModel  
  3. @{  
  4.    ViewData["Title"] = "Privacy Policy";  
  5. }  
  6. <h1>@ViewData["Title"]</h1>  
  7.    <p>Bank Account No @ViewData["BDId"]</p>  
  8. <p>Use this page to detail your site's privacy policy.</p>   
 
 
Conclusion
 
We can decode and encode any parameters which are being passed as part of the URL data or query string. We can utilize this DataProtectorTokenProvider in below scenarios
  • HTTP GET Verb parameters
  • URL Query string
  • Any Sensitive data like Service Password/ Account Key's / Database details
  • Connection strings etc
Please find the code reference Github.