Issue with sending Base64 encoded query string in aASP.Net - asp.net

I am creating a web site in .Net 3.5 , I am converting the string into Base64String to send it through querystring. The Response.Redirect works fine for smaller string. But if the original string size is 1670, the response.redirect results in error "Page can not be found".
item is the string in below code snippet.
byte[] data = Encoding.Default.GetBytes(item);
return Convert.ToBase64String(data)
Can any one please help in resolving this?

A query string shouldn't be used for long values - while it depends on the browser and web server exactly what the maximum safe length is, it's certainly not safe above about 2000 characters, and I'd be wary about relying on it above 255. The solution is to use a POST request instead, or possibly to save the data on the server and pass a key to it in the query string.

There is a limit on characters sent as a query string - it varies from browser to browser:
http://support.microsoft.com/kb/q208427/
I'd save it to a DB and retrieve it on the other end with a key.

Related

HTTP get request won't submit with a URL encoded parameter

I'm currently writing an ASP.NET Core web API that has an action with a encrypted value as a parameter.
I'm trying to test this action and the URL won't even submit in the web browser, at first I thought it could be due to the URL being too long but I've found this answer and my URL is well below the 2000 character limit. I've changed the parameter to a trivial string ("hello") and it submits fine and runs the code. I've tried in both Edge and IE11 whilst debugging my application, in Edge nothing happens at all, in IE11 I get a message saying:
Windows cannot find 'http://localhost:5000/api/...' Check the spelling and try again
In either case the code in the application doesn't execute (I've put a breakpoint on the first line of the controllers constructor which isn't being hit).
I've included an example of one of the URLs that isn't working below, as well as the code I'm using to generate the encrypted string, it uses HttpUtility.UrlEncode to convert the encrypted byte[] array to a string.
Example URL (one that doesn't work):
http://localhost:5000/api/testcontroller/doaction/%95%d6%f8%97%84K%1f%d4%40P%f0%8d%de%27%19%ed%ffAR%9c%c6%d4%b1%83%1e%9fX%ce%9b%ca%0e%d4j%d3Rlz%89%19%96%5dL%b1%16%e9V%14u%c7W%ee%89p%3f%f7%e6d%60%13%e5%ca%00%e9%a2%27%cb%d3J%94%a6%e1%b9%9c%914%06y%7e%0bn%ce%00%e5%7d%98b%85c%fa6m%7d%f7%f1%7b8%26%22%5e%1et%5e%10%0c%05%dd%deFAR%bb%93L%b9-W%e1K%82%d8%cc8%ce%e0%0c%2b%bc%19
Action:
[HttpGet("[action]/{encrypted}")]
public string DoAction(string encrypted)
{
return "Executed";
}
Generate encrypted string:
private string GenerateEncryptedString()
{
RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider();
byte[] data = HttpUtility.UrlDecodeToBytes("AHMW9GMXQZXYL04EYBIW");
byte[] encryptedData = rsaProvider.Encrypt(data, true);
string encryptedString = HttpUtility.UrlEncode(encryptedData);
return encryptedString;
}
Not sure if I'm going wrong in my methodology for converting the encrypted data to a string but I would appreciate any feedback on how to fix this issue.
I think you should try to pass this data in the query string and not in the location (path) part of the url (some characters may be forbidden in paths as a security layer), so add a ?data= before the encoded data.
http://localhost:5000/api/testcontroller/doaction/?data=%95%d6%f8%97%84K%1f%d4%40P%f0%8d%de%27%19%ed%ffAR%9c%c6%d4%b1%83%1e%9fX%ce%9b%ca%0e%d4j%d3Rlz%89%19%96%5dL%b1%16%e9V%14u%c7W%ee%89p%3f%f7%e6d%60%13%e5%ca%00%e9%a2%27%cb%d3J%94%a6%e1%b9%9c%914%06y%7e%0bn%ce%00%e5%7d%98b%85c%fa6m%7d%f7%f1%7b8%26%22%5e%1et%5e%10%0c%05%dd%deFAR%bb%93L%b9-W%e1K%82%d8%cc8%ce%e0%0c%2b%bc%19

Querystring in C# web application

I have created web application.I am giving one of web page to client as api.Client can pass parameter to web page like below
Ex: www.domainname.com/Testpage.aspx?name=pinky&city=pune&number=xxxxxxxx
In same page Testpage.aspx,I am accessing/fetching querystring like below.
string s= Request.Querystring["name"];
I am not sure how client can call api.I mean to say from browser or code throught.Whether client use urlencode or not?
from code
www.domainname.com/Testpage.aspx?name=Server.UrlEncode("pinky")&city=Server.UrlEncode("pune")&number=Server.UrlEncode("xxxxxxxx")
will below code work ? or does i need to decode?If client did not use Encode then decode work fine?.I want user querystring value further processing and insert into table.
string s= Request.Querystring["name"];
You need not decode it. If they have entered special characters and not encoded then it will not reach your server-side code at all because it will throw a bad request error. If they have encoded at their end then it will be automatically decoded at your end.
Even If they have not encoded, Your decode will work fine.

Cookie encoding in BASE64 cannot be sent correctly to server

I use BASE64 to encode GUID value and add them to cookie. For example, an ecoded guid value is vClFwpDbWE6JPUlnlBXMWg==. When the server sends response, it will add this cookie. I check with Chrome, this value is correctly received by the browser. But when the browser sends another request, the cookie value is changed to "vClFwpDbWE6JPUlnlBXMWg" from HttpRequestMessage's cookies, why some characters are removed?
I use WebAPI2, MVC5 with IIS7.5.
ASP.NET sees the '=' character in the cookie and assumes it's a multi-value cookie (see related question Storing multiple values in cookies).
Your best bet is to store the GUID in the cookie as-is, e.g., by using Guid.ToString() to turn the GUID into a hex string and new Guid(string) to turn the hex string back into a GUID. Alternatively, if you really need to condense it down to BASE64, consider using HttpServerUtility's UrlTokenEncode and UrlTokenDecode methods. Those methods use an encoding which is very similar to BASE64 but which doesn't use characters like '+' and '=' which are treated specially by ASP.NET.

Query String Returning Different Values to that of the actual in the url

http://localhost:1079/BattleSimulator.aspx?userID=Unregistered_User&Troops=1111%1111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0!1111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0&Research=10%10%10%10%10%10%0!10%10%10%10%10%10%0&Sanctuary=0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0!0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0&Inventory=False%False%False%False%False%False!False%False%False%False%False%False&other=5!0&RNG=0&Dragons=-1%-1%-1%-1!-1%-1%-1%-1&BattleArts=0%0%0!0%0%0&Kaizer=2310000%1510000%0%15867000%910000%875!5011000%2810000%3158%182972948%2810000%803
^ this is the original Query Passed onto server,
But this is parsed on a very different way on the server
Ex:
http://prntscr.com/3h90fs
http://prntscr.com/3h90o2
the string returned from
Extention.QueryString("Troops")
is "111111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0!1111%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0"
Why is this happening ? is it a bug ?
There are many chars that are reserved and can't be used in querystring. % is one of those.
You have to Encode a string to be shure that it will be properly decoded to the same string in the server.
In C# this can be done this way:
HttpContext.Current.Server.UrlEncode(destinationURL);
Why is this happening ?
Because added any(some) spaces(White Character ) between your values.
is it a bug ?
Nope. It's not a bug .
Solution.
You need use Trim() or remove Empty values by using Replace(" ","") in your query string values before send query string
See this links
Get Query String value containing spaces
Passing in a querystring with a space?
http://blogfornet.com/tag/how-to-use-space-in-url-query-string/
Request.QueryString giving me space instead of + sign

MVC3 Stripping Query String from my Parameter

I have an MVC3 Action that takes a parameter (a URL) that may have a query string in it. My action signature looks like this:
GetUrl(string url)
I expect to be able to send it urls, and it works every time unless there is a query string in the url. For example, if I navigate to:
MyController/GetUrl/www.google.com
the url parameter comes accross as "www.google.com" -Perfect. However, if I send
MyController/GetUrl/www.google.com/?id=3
the url parameter comes accross as "www.google.com/" How do I get MVC3 to give me the whole URL in that parameter? -Including the query string?
It's simple enough to just URL.Encode the passed in URL on the page but you're opening your self to some possible security problems.
I would suggest you encrypt the url then encode it then pass that as your value, the protects you from having people just passing in anything into your app.
That's because system considers id=3 as its own query string. When you construct the link in the view, you need to use #Url.Encode to convert raw url string to encoded string to be accepted as parameter of the controller.

Resources