Tamper Proof URLs :: Page B
TamperProofURLs.B.aspx. Note that up in your address bar there are a total of five querystring
NonTamperProof - this is a non-tamper proofed querystring parameter. You should be able to change
this value to whatever you like and have everything work normally.
TP3 - these are the three tamper-proof querystring values.
Go ahead and try to change them and revisit the page. You should see an error warning you that you have attempted to
fiddle with the querystring. Shame on you!
Digest - this is the digest of the tamper-proof querystring values (along with the secret salt).
If you change this value you'll also get an error regarding tampered values.
Go ahead and tinker with the values. If something unexpected happens - i.e., you get an error with tweaking just
NonTamperProof, or if you can successfully change
without getting an error, let me know.
Values of Querystring Parameters:
NonTamperProof - originally 1, can be changed... current value is 1
TP1 - cannot be changed, originally Scott... current value is Scott
TP2 - cannot be changed, originally 27... current value is 27
TP3 - cannot be changed, originally False... current value is False
<script runat="server" language="VB">
Sub Page_Load(sender as Object, e as EventArgs)
'The secret salt...
Private Const SecretSalt = "H3#@*ALMLLlk31q4l1ncL#@RFHF#N3fNM><#WH$O@#!FN#LNl33N#LNFl#J#Y$#IOHhnf;;3qrthl3q"
Sub EnsureURLNotTampered(tamperProofParams as String)
'Determine what the digest SHOULD be
Dim expectedDigest as String = GetDigest(tamperProofParams)
'Any + in the digest passed through the querystring would be convereted into
'spaces, so 'uncovert' them
Dim receivedDigest as String = Request.QueryString("Digest")
If receivedDigest Is Nothing Then
'Oh my, we didn't get a Digest!
Response.Write("YOU MUST PASS IN A DIGEST!")
receivedDigest = receivedDigest.Replace(" ", "+")
'Now, see if the received and expected digests match up
If String.Compare(expectedDigest, receivedDigest) <> 0 Then
'Don't match up, egad
Response.Write("THE URL HAS BEEN TAMPERED WITH. I PITY THE FOOL WHO TAMPERS WITH THE URL!")
Function GetDigest(tamperProofParams as String) as String
Dim Digest as String = String.Empty
Dim input as String = String.Concat(SecretSalt, tamperProofParams, SecretSalt)
'The array of bytes that will contain the encrypted value of input
Dim hashedDataBytes As Byte()
'The encoder class used to convert strPlainText to an array of bytes
Dim encoder As New System.Text.UTF8Encoding
'Create an instance of the MD5CryptoServiceProvider class
Dim md5Hasher As New System.Security.Cryptography.MD5CryptoServiceProvider
'Call ComputeHash, passing in the plain-text string as an array of bytes
'The return value is the encrypted value, as an array of bytes
hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(input))
'Base-64 Encode the results and strip off ending '==', if it exists
Digest = Convert.ToBase64String(hashedDataBytes).TrimEnd("=".ToCharArray())
[Return to the article...]