Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

Query strings in the URLs are useful and important in many ways, for example, in passing various values between pages or in retrieving data from the database. In some cases though, an unauthorized user could obtain sensitive data or harm the system by entering a URL with tampered query string parameters.

To prevent tampering with the query string parameters, the system adds the result of a hash function at the end of each URL. Such URL can look like this:

http://localhost/Kentico70/CMSAdminControls/UI/UniSelector/SelectionDialog.aspx?SelectionMode=Multiple&hidElem=m_c_u_content_su_s_hiddenField&params=891991d5-2e75-45f6-afbd-7247d1d13a44&clientId=m_c_u_content_su_s&localize=1&hash=d41aa76091347291c3bc772aaa5dfd90751110e43c0543c6d580da4ca8de3b37

The part in bold is the hash added to the URL. If an attacker modifies the parameters and tries to submit such URL, the system will not accept it, because the query string parameters and hash would not match.

The hash function is calculated from the query string parameters using SHA-2. The hashing is used in various parts of the system:

  • Dialog boxes
  • Macro signatures
  • In the links for downloading files (e.g., getamazonfile.aspx, getazurefile.aspx or sometimes even with getfile.aspx) – to allow the users to download only the file specified in the original URL and nothing else.

Salt

The protection of query string parameters only using the hash function would not be enough because the attackers are able to compute the hash with modified parameters. For this reason, the system adds salt to the URL before hashing it.

Hash calculation:

URL parameters + salt -> all this is hashed using SHA-2 and added to the original URL.

The salt is some secret string of characters, which the users do not have access to. In Kentico, the default salt added to the URL is the connection string stored in the web.config file. You can, however, configure your own custom salt using the CMSHashStringSalt key in the web.config file (for example as a randomly generated GUID):

<add key="CMSHashStringSalt" value="e68b9ad6-a461-4707-8e3e-ece73f03dd02" />

If you have already stored some persistent information (links for downloading files, image links, macros) in the system and you change the salt calculation, then these links and information may become broken. You will have to re-save the content to create hashes with the new salt.

User specific hash

Sometimes it is useful to add a user-specific information to the hash. Either the user session ID is used for this purpose or the user's IP address (if there is no session ID). When some attackers manage to eavesdrop some URL and try to exploit it to gain sensitive data, they would not succeed, as their session ID would not match the hash.

The user specific hash is used mainly for non-persistent information, such as displaying dialog boxes. You can specify the user specific hash using the userSpecific parameter of the ValidationHelper.GetHashString() method.

Note that if you use user specific hashing and save some content with it, users other than the one who saved the content will not be able to use it.

Custom salt

You can also add a custom string to the hash. This string can represent a salt, which is unique for specific situations (for a given control, page, etc.). In some cases, the attackers could be able to generate hash in one dialog box and use the same hash in a different dialog box with the same parameters. To prevent this, use the custom salt.

You can specify the custom salt using the customSalt parameter of the ValidationHelper.GetHashString() method or in a class attribute.

Custom hash validations

We recommend that you also use the hashing features in your custom dialog boxes. The following methods are available:

Hash calculation:

  • ValidationHelper.GetHashString() - this method computes the SHA2 hash from the query string parameters, the hash salt and other values which you can specify using its parameters:
    • userSpecific - a Boolean parameter which indicates, if the system adds user specific information to the value being hashed.
    • customSalt - a custom string, which is added to the value being hashed.

Hash validation:

  • QueryHelper.ValidateHash() - this method works directly with the query string and can exclude individual parameters. 
  • ValidationHelper.ValidateHash() - this method is more general and can be used in macro signatures.

You can validate hashes on pages individually:

if (!QueryHelper.ValidateHash("hash"))
{ 
	URLHelper.Redirect(ResolveUrl("~/CMSMessages/Error.aspx?title=" + ResHelper.GetString("imageeditor.badhashtitle") + "&text=" + ResHelper.GetString("imageeditor.badhashtext"))); 
}