How to avoid querystring being accessible in ASP.Net dynamically generated chart?

Question

To create dynamic charts and graphs in ASP.Net, I have placed the (GDI+) code for each chart in separate page files – so the output from running a chart page by itself if to just display the chart onscreen.

The chart page contains the code to get the relevant data from SQL Server, as well as the chart generation code. The generated chart object is then saved to Response.OutputStream.

A content page where I want to display the chart provides various parameters to determine what data will be used to generate the chart (such as userID, project ID, selection from dropdown lists etc.). To display the chart as part of a content page, I then place an image object in the page, collect the various chart parameters, and in code behind set the URL of the image object to be the chart page, plus all the chart parameters added to the query string.

This works fine, except for one thing: when I right click on the chart image as it appears in the content page in the browser, I get an option to “open image”, which displays a page with the chart all by itself (perhaps not surprising as it is generated with a chart page). However, the problem is that in this chart page, the full URL with the querystring is visible, which means that a user could change the values in the query string, and thereby generate a new chart. This is a big problem, as it might enable a user to generate a chart for data they should not have access to.

Is there a way to avoid this problem whilst still using this “chart page” approach to generating and displaying dynamic charts? Alternatively, should I rather save the dynamically generated images as files, either on disk or as SQL Server Filestream objects for example, and then reference these in the page?

By the way, I am aware of the various ASP.Net chart controls that are available. However, the charts I need to generate are highly customised to a very specialised application, so those controls will unfortunately not work in this instance.

Answer 1

I have the same concern for one of my previous projects. One cheap but not 100% fool-proof solution is to insert a http-referer check before you process the image. Images loaded from within you page will have the referrer URL of your domain, those entered directly via the browser won't have.

Of course it's very easy to hack by faking referrer url, still it is some form of deterrent. Will be glad if others can offer their solutions.

Another way is to add some sort of checksum params into your querystring. Only you know how to 'decrypt' and only generate image when the checksum is 'correct'.

Answer 2

First of all, I assume that your users are authenticated (logged in) to your website, so you know who they are and what data/charts they are supposed to have access to?

You need to check the incoming parameters in your image-generating code to see if the current user has access to the data he asks for. Typically you would query your user/privilege tables for this (or call the Membership API or whatever).

Trying to hide the URL (for example by doing a POST instead of a GET to the image-generating page) is just "security by obscurity", which is not a good idea.

By the way, your problem is called "URL tampering", a Google search for this should get you in the right direction.