Encrypt & Decrypt Query String

Encrypt & Decrypt Query String

  
Hello All,

May i know is there any inbuilt method to encrypt and decrypt input parameters?
If yes please tell me how to do it? If no then also tell me how we can achieve it.
Hi Pradip,

You can use CryptoAPI component from forge.

Best regards,

Hi Andre,

Do you have any demo or please share screen shots how to use CryptoAPI in application.

pradip chavhan wrote:

Hi Andre,

Do you have any demo or please share screen shots how to use CryptoAPI in application.

Hi Pradip,

How long huh!

The link below have a sample oml for the CryptoAES usage. You can take a look and see if this helps.

https://www.outsystems.com/forums/discussion/33213/ciphertext-length-too-short-cryptoapi/#Post116831

Hi Andre,

Thanks for your reply, i will check and let you know. In case if i face any problem.

Hi Pradip,

do you want to encrypt inpur parameter so that it is not shown in URL while calling the page?

like this 

Here do you want to hide input parameters sent?

If yes, then set the property of button/link from where  you are calling this redirection as 'Submit'.


Thanks and Regards,

Suraj Borade


Suraj Borade wrote:

Hi Pradip,

do you want to encrypt inpur parameter so that it is not shown in URL while calling the page?

like this 

Here do you want to hide input parameters sent?

If yes, then set the property of button/link from where  you are calling this redirection as 'Submit'.


Thanks and Regards,

Suraj Borade



Hi Suraj,

Your suggestion works in a web screen. But in a Email, method option is not there when I add a Iink. What should be done there?




Hi Ananth,

@Suraj That method is not secure if you look into browser tools you can see the input parameters anyway. 

CryptoAPI is a good solution for it. But even than you have multiple options:

  • Encrypt all the inputs. In this case is still possible to see the number of inputs.
  • Transform all inputs into a JSON. Ecrypt that JSON and sent it as input
  • Save all inputs on a database record with a guid associated. Send the guid as input

And for sure you have a lot more options to secure your data if you are creative.

Regards,

Marcelo

Ananth wrote:

Suraj Borade wrote:

Hi Pradip,

do you want to encrypt inpur parameter so that it is not shown in URL while calling the page?

like this 

Here do you want to hide input parameters sent?

If yes, then set the property of button/link from where  you are calling this redirection as 'Submit'.


Thanks and Regards,

Suraj Borade



Hi Suraj,

Your suggestion works in a web screen. But in a Email, method option is not there when I add a Iink. What should be done there?





Emails are a different story, input parameters will always be vulnerable for exploits.
Even when using Encryption (encryption is reversable!, but the attackers needs to know the algorithm, but his can be found out by looking at the encryption string) input variables in the query (url/GET parameters) are always vulnerable.

It is best to use a generated hash(hashing uses one way calculation and therefore can only be reversed by brute force calculating the possible input until the target hash matches, which takes much longer than decryption) in your url.
You would create a new entity called MailHash (or whatever) which contains:
-id (the generic primary key)
-hash (which is the generated hash you wish to use)
-IsNew (the value for the IsNew variable)
-RegionID (the value for the RegionID variable)
-UsedAt (the date time at which point this hash is used)

So when sending the email, you will create a new MailHash record, with a generated hash, the selected value for IsNew and RegionId and a NullDate() for UsedAt.

Then you send the email using the Hash (make sure your target screen accepts the hash as input).

In the preparation of your target screen, you would take the input hash and look it up in the MailHash entitiy.
Ofcourse check if the UsedAt is still NullDate() (if it's not NullDate() it means this hash was already used before!).

If everything checks out you can assign the required screen variables with the data you recieve from the MailHash record, after this you can load your screen as normal.

Don't forget to update your MailHash record with the current DateTime so it can't be used a second time, to prevent potential abuse. (Unless you don't really care about this as a security measure).


The last option Marcelo pointed out pretty much matches what I wrote here.