ASP.Net MVC, Sending Encrypted Strings In Url

Hackered
Tuesday, March 25, 2014
by Sean McAlinden

I recently had a to implement a forgotten password workflow where I had to pass an encrypted token on the url.

My first thought was to Base 64 encode the token, however...

The ASP.Net MVC endpoint was not happy about this at all 

 

I was receiving errors from IIS such as:

The request filtering module is configured to deny a request that contains a double escape sequence 

 

This filtering is there to stop attacks such as path traversal so is there for a good reason.

To help out, the .Net framework has a great utility for dealing with this very situation, it goes a bit like this...

var tokenEncodedString = HttpServerUtility.UrlTokenEncode(encryptedBytes)

And to decode it on the other side... you guessed it:

var encryptedBytes = HttpServerUtility.UrlTokenDecode(tokenEncodedString)

And that's all I really have to say on the matter.