Tech Off Thread

11 posts

Pass hashed info through query string

Back to Forum: Tech Off
  • Remon

    Hey all , I am passing Hashed password from a server to another physical server. I had to use the query strong
    The problem is that hashed pass has special characters like linefeeds ... How can i do such thing ?

  • Pop Catalin Sever

    one posible way would be to encode it as base64 string using Convert class

  • Remon

    I am using 2005
    Can you give me a sample ?

  • Pop Catalin Sever

    static void Main(string[] args)

    {

    string toEncode = "This will be base64 encoded!";

    string encoded = Convert.ToBase64String(System.Text.Encoding.Default.GetBytes(toEncode));

    Console.WriteLine(encoded);

    }


    Be sure to have the same Defaul Encoder where you decode the string Wink

  • Remon

    Thank you Smiley I have been into my ears in this project, I just can see binaries now Smiley

    Thanks again Smiley

  • dwoodard

    Unless you are using SSL, you realize that this is not secure? A hacker wouldn't need to do anything but capture the hash and that would be as good as having the password itself.

  • Harlequin

    dwoodard wrote:

    Unless you are using SSL, you realize that this is not secure? A hacker wouldn't need to do anything but capture the hash and that would be as good as having the password itself.



    Yeah, if it's a form, maybe you can do a Server.Transfer or something to send the form elements somewhere else...

  • sbc

    You can't use Server.Transfer to transfer to pages on another server AFAIK.

  • Pop Catalin Sever

    dwoodard wrote:

    Unless you are using SSL, you realize that this is not secure? A hacker wouldn't need to do anything but capture the hash and that would be as good as having the password itself.



    well he said "pass hashed string" not encripted string Smiley it should be a diference. The first is not necesarly secure

  • dwoodard

    It doesn't matter if you are using HTTP GET or POST. If you are passing the hash on an un-encrypted channel, then the hash can be viewed and stolen.

    All that is being hidden is the plain text password. Which means that an attacker doesn't know your password, without cracking it. But if the hash is used for authentication or re-authentication then the attacker can simply pass the stolen hash around to get access.

    That is why I mentioned using SSL.

  • Maurits

    Remon wrote:
    Hey all , I am passing Hashed password from a server to another physical server. I had to use the query strong
    The problem is that hashed pass has special characters like linefeeds ... How can i do such thing ?


    What kind of hash uses special characters??

    Anyway, the usual way to do this is to URLEncode anything you put in the query string.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.