0

I'm working with ASP.NET MVC4 and here is what i want to do:

I have a Web API that Gets a username, a password and a serial number and return a JSON file with the required data. But as a matter of security, passwords should not figure that clear in the URL, so I changed its implementation into a Web API that gets an encrypted string, that will be decrypted later to extract the three fields.

The problem is when working with a view that calls this Web API, I should encrypt the text fields entered by the user using JavaScript, right? So this encryption with JavaScript should correspond to the decryption method written in C#. Is there any existing way to do that ? Or should I consider this problem differently?

Improve this question
2
  • 3
    And what will happen when user will disable the javascript on his browser? The easiest path would be to use the ssl and a POST request instead of get (assuming you have control over the webapi) Commented Feb 15, 2013 at 8:56
  • This sounds like a bad idea, the URL is a highly visible item and no amount of encryption of credentials is going to help. If you're going down this route, why not enable HTTPS and use one of the existing HTTP authentication schemes? I believe basic digest authentication uses base64 to encode username and password, but I think that's just to ensure everything is in ASCII. Have a look at this cheatsheet for authentication: owasp.org/index.php/Authentication_Cheat_Sheet Commented Feb 15, 2013 at 9:07

1 Answer 1

Reset to default
4

Just use a secure connection (https:// ssl).

Any encryption you can do in JavaScript can be reversed, since the code used to encrypt the data is available to anyone that uses it, and can easily be reverse-engineered.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

SSl is for sure the ultimate way for secure connections, but let's suppose that i can't afford that now, isn't there any other alternatives that could garanty a minimum of security?
@mahoosh: The problem is that anything you can do with JS can be undone without too much effort. At least use POST requests instead of GET's, and maybe md5 whatever data you can (Compare a md5'd password with a md5 value, server-side. That way you're never transmitting the actual PW)
So if i opt for this Post option, i will have to parse the Json file resulted and display it into an html page. Is there any way that i allows me to return the Json file directly just like the get responce ? (Im sorry if my questions are not that devolleped, im still new to the Web api thing)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.