Tamper Proof URLs :: Page A

This page provides a link to TamperProofURLs.B.aspx, passing in three querystring parameters that cannot be tampered with, and one that can. It uses MD5 to create a signature of the tamper-proof querystring parameter values and sends along the signature.

Click on the link below to visit TamperProofURLs.B.aspx. Once there you are invited to try to change any of the tamper-proof querystring parameter values.


Click Me to Visit TamperProofURLs.B.aspx


Source Code
<asp:HyperLink runat="server" id="lnkToB">Click Me to Visit <code>TamperProofURLs.B.aspx</code></asp:HyperLink>

<script runat="server" language="VB">

Sub Page_Load(sender as Object, e as EventArgs)
  lnkToB.NavigateUrl = CreateTamperProofURL("TamperProofURLs.B.aspx", "NonTamperProof=1", "TP1=Scott&TP2=27&TP3=False")
End Sub

'The secret salt...
Private Const SecretSalt = "H3#@*ALMLLlk31q4l1ncL#@RFHF#N3fNM><#WH$O@#!FN#LNl33N#LNFl#J#Y$#IOHhnf;;3qrthl3q"

Function CreateTamperProofURL(url as String, nonTamperProofParams as String, tamperProofParams as String) as String
  Dim tpURL as String = url
  If nonTamperProofParams.Length > 0 OrElse tamperProofParams.Length > 0 Then
    url &= "?"
  End If
  
  'Add on the tamper & non-tamper proof parameters, if any
  If nonTamperProofParams.Length > 0 then
    url &= nonTamperProofParams
    
    If tamperProofParams.Length > 0 Then url &= "&"
  End If
  
  If tamperProofParams.Length > 0 Then url &= tamperProofParams
  
  'Add on the tamper-proof digest, if needed
  If tamperProofParams.Length > 0 Then    
    url &= String.Concat("&Digest=", GetDigest(tamperProofParams)) 
  End If
  
  Return url
End Function


Function GetDigest(tamperProofParams as String) as String
  Dim Digest as String = String.Empty
  Dim input as String = String.Concat(SecretSalt, tamperProofParams, SecretSalt)
    
  'The array of bytes that will contain the encrypted value of input
  Dim hashedDataBytes As Byte()

  'The encoder class used to convert strPlainText to an array of bytes
  Dim encoder As New System.Text.UTF8Encoding

  'Create an instance of the MD5CryptoServiceProvider class
  Dim md5Hasher As New System.Security.Cryptography.MD5CryptoServiceProvider

  'Call ComputeHash, passing in the plain-text string as an array of bytes
  'The return value is the encrypted value, as an array of bytes
  hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(input))

  'Base-64 Encode the results and strip off ending '==', if it exists
  Digest = Convert.ToBase64String(hashedDataBytes).TrimEnd("=".ToCharArray())
  
  Return Digest
End Function

</script>


[Return to the article...]