Encrypt/Hide Input Parameters in URL

Encrypt/Hide Input Parameters in URL

  

Hi Guys,

Need your input on this. Not really sure how to do this, but is there a way to hide the Input Parameters that you supply when you call a Webscreen?

Please see Picture

regards,

Mike

You could use sessions or if that is not preferred use an encryption plugin extension like 'GenerateSaltedMD5Hash' from the PlatformPaswordUtils. or get one from the forge (I vaguely remember one there called crypto something) 

Hi Michael,

The component Eric is refering is CryptoAPI.

Some of the options you have are thease:

  • Encrypt all the inputs. In this case is still possible to see the number of inputs.
  • Transform all inputs into a JSON. Ecrypt that JSON and sent it as input
  • Save all inputs on a database record with a guid associated. Send the guid as input

And for sure you have a lot more options to secure your data if you are creative.

Regards,

Marcelo

Marcelo Ferreira wrote:

Hi Michael,

The component Eric is refering is CryptoAPI.

Some of the options you have are thease:

  • Encrypt all the inputs. In this case is still possible to see the number of inputs.
  • Transform all inputs into a JSON. Ecrypt that JSON and sent it as input
  • Save all inputs on a database record with a guid associated. Send the guid as input

And for sure you have a lot more options to secure your data if you are creative.

Regards,

Marcelo

Marcelo and Eric,

I downloaded the  cryptoapi and I am not really sure what to supply on the input parameters on the RSA Encrypt and Decrypt.

Base on my screenshot above, One of the input parameter is LeadId,now which of the two parameter RSA_Encrypt(PublicKey Input Parameter and Plaintext Input Parameter) should I put the LeadId and what should I supply on the other RSA_Encrypt input parameter?




Hi,


You can approach this on a couple of ways. The one proposes makes it not easy for the developer(s) to debug.

If you take a look at https://www.outsystems.com/forge/component/632/urlencryption/ it might suit your need better. It encrypts the url, only on IIS level, which means the end-user only sees it encrypted, while the debugger works as is..

Furthermore, you do it per module/espace i believe and not per screen, so that makes life also easier.




Hi Michael,

You should use AES_Decrypt and AES_Encrypt with key set by yourself to start. Or for more advance use you can use the actions of the component to create keys.

You can also try J. suggestion. I will try it for sure.

Regards,

Marcelo

Hi J.,

Are you sure this component work? I was trying it on my personal environment (version 10) and it doesn't work. Beside that I read the support of the component and it looks like it doesn't work since version 9. Were you able to make it work?

Regards,

Marcelo

Marcelo Ferreira wrote:

Hi J.,

Are you sure this component work? I was trying it on my personal environment (version 10) and it doesn't work. Beside that I read the support of the component and it looks like it doesn't work since version 9. Where you able to make it work?

Regards,

Marcelo

we have it running on premise, so not sure if it works in personal environments.

I have no clue if we changed some stuff to get it to work.. will ask around



Michael Chu wrote:

Hi Guys,

Need your input on this. Not really sure how to do this, but is there a way to hide the Input Parameters that you supply when you call a Webscreen?

Please see Picture

regards,

Mike

Hi Michael,


You can also change the Method of the "Link / Button" to Submit. This will execute a "Post" as requested method and will send the data in the body of the request. Data is also encrypted since Outsytems ViewState is encrypted.


The most secure way is using the Session but, of course, you will have to manage the session size.


Kind regards,

Miguel Sousa


Miguel Sousa wrote:

Michael Chu wrote:

Hi Guys,

Need your input on this. Not really sure how to do this, but is there a way to hide the Input Parameters that you supply when you call a Webscreen?

Please see Picture

regards,

Mike

Hi Michael,


You can also change the Method of the "Link / Button" to Submit. This will execute a "Post" as requested method and will send the data in the body of the request. Data is also encrypted since Outsytems ViewState is encrypted.


The most secure way is using the Session but, of course, you will have to manage the session size.


Kind regards,

Miguel Sousa


Miguel,

I used the Submit(to hide the input parameter in the WEBSCREEN) before I change it to Navigate. Not really sure or is it just in my head that i find the submit method a bit slower to get to another WEBSCREEN?

best regards,

Mike


J. wrote:

Marcelo Ferreira wrote:

Hi J.,

Are you sure this component work? I was trying it on my personal environment (version 10) and it doesn't work. Beside that I read the support of the component and it looks like it doesn't work since version 9. Where you able to make it work?

Regards,

Marcelo

we have it running on premise, so not sure if it works in personal environments.

I have no clue if we changed some stuff to get it to work.. will ask around





Marcelo and J,

I will consider both options. At this point in time I was just asking around if there is a way because I notice that URL can be tampered with by the User by just changing the input parameter on the screen.

Going back to the Crypto API, I am using version 10(on premise) right now and planning to upgrade to 11 sometime in the future and this is the first time i will implement this if ever.


When you say use AES Encryption and 'Set the Key yourself' how do I do that?

There are 2 parameters in AES Encryption.

1. Cyperkey

2. PrivateText




Hi Michael,

AES_Encrypt have this 2 inputs:

  • Plaintext -  the text you want to input
  • Key -  how cypher works is you need a key that will be used to encrypt/decrypt the text. key is any string you decide to use as key.You can read about it here https://en.wikipedia.org/wiki/Key_(cryptography)

and as output you will get Ciphertext

@Miguel Submit is not a secure option. I will be able to see the input anyway on browser tools. Beside you run the preparation again of the screen you are in (bad for performance).

Regards,

Marcelo