Tamper Proof URLs :: Page B

Welcome to TamperProofURLs.B.aspx. Note that up in your address bar there are a total of five querystring inputs:

Go ahead and tinker with the values. If something unexpected happens - i.e., you get an error with tweaking just NonTamperProof, or if you can successfully change TP1, TP2, and TP3 without getting an error, let me know.


Values of Querystring Parameters:
NonTamperProof - originally 1, can be changed... current value is 1
TP1 - cannot be changed, originally Scott... current value is Scott
TP2 - cannot be changed, originally 27... current value is 27
TP3 - cannot be changed, originally False... current value is False


Source Code
<script runat="server" language="VB">

Sub Page_Load(sender as Object, e as EventArgs)
  EnsureURLNotTampered(String.Format("TP1={0}&TP2={1}&TP3={2}", _
                            Request.QueryString("TP1"), _
                            Request.QueryString("TP2"), _
                            Request.QueryString("TP3")))
End Sub

'The secret salt...
Private Const SecretSalt = "H3#@*ALMLLlk31q4l1ncL#@RFHF#N3fNM><#WH$O@#!FN#LNl33N#LNFl#J#Y$#IOHhnf;;3qrthl3q"

Sub EnsureURLNotTampered(tamperProofParams as String)
  'Determine what the digest SHOULD be
  Dim expectedDigest as String = GetDigest(tamperProofParams)
  
  'Any + in the digest passed through the querystring would be convereted into
  'spaces, so 'uncovert' them
  Dim receivedDigest as String = Request.QueryString("Digest")
  If receivedDigest Is Nothing Then
    'Oh my, we didn't get a Digest!
    Response.Write("YOU MUST PASS IN A DIGEST!")
    Response.End()
  Else
    receivedDigest = receivedDigest.Replace(" ", "+")
    
    'Now, see if the received and expected digests match up
    If String.Compare(expectedDigest, receivedDigest) <> 0 Then
      'Don't match up, egad
      Response.Write("THE URL HAS BEEN TAMPERED WITH.  I PITY THE FOOL WHO TAMPERS WITH THE URL!")
      Response.End()
    End If
  End If
End Sub

Function GetDigest(tamperProofParams as String) as String
  Dim Digest as String = String.Empty
  Dim input as String = String.Concat(SecretSalt, tamperProofParams, SecretSalt)
    
  'The array of bytes that will contain the encrypted value of input
  Dim hashedDataBytes As Byte()

  'The encoder class used to convert strPlainText to an array of bytes
  Dim encoder As New System.Text.UTF8Encoding

  'Create an instance of the MD5CryptoServiceProvider class
  Dim md5Hasher As New System.Security.Cryptography.MD5CryptoServiceProvider

  'Call ComputeHash, passing in the plain-text string as an array of bytes
  'The return value is the encrypted value, as an array of bytes
  hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(input))

  'Base-64 Encode the results and strip off ending '==', if it exists
  Digest = Convert.ToBase64String(hashedDataBytes).TrimEnd("=".ToCharArray())
  
  Return Digest
End Function

</script>


[Return to the article...]