Learn More





DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

New Store Encryption Helper class - Part 1

Two month ago while the Store module was in the release tracker, Brandon Haynes from the Core Team conducted a security review. Brandon is well aware about security risks, PCI compliancy and CWE rules. His helpful advices have revealed some possible security holes. Thanks again Brandon for your hard work!

One of his advices was about cookie encryption. Currently only order ID and cart ID are stored in a session cookie. This is not a real security breach, but this violates some CWE rules. An attacker can forge a cookie and try to access to the cart content of someone else. The cart ID is a GUID generated by the .Net framework when a visitor adds the first product to his cart. Even if it’s difficult to discover a valid cart ID, it’s more secure to encrypt it. Concerning the order number, no one (except Admin) can access orders from someone else; but expose this value could be a limitation if a PCI security audit is conducted.

First I looked at the PortalSecurity class from the DotNetNuke.Security namespace; two methods allow you to manage encryption, Encrypt(string strKey, string strData) and Decrypt(string strKey, string strData). The main drawback of those methods is the encryption algorithm used. Many applications, including DotNetNuke, uses the DES algorithm to encrypt sensitive data while it is well known that this algorithm can be easily broken. This is not really a problem for most web sites, but again it could be a limitation in case of PCI security audit.

The .Net framework provides several classes to manage encryption needs. They are of three kinds: Hash, Symmetric and Asymmetric. The Store encryption helper class covers only symmetric algorithms. Given that the store module requires strong encryption, I write a class to facilitate the use of these algorithms. Use an encryption algorithm is never really easy and requires a general understanding of their functioning. Because the misuse of such an algorithm may expose you to security holes while you expect to be protected by encryption.

In the next part we will see how works symmetric algorithms and what are requirements to use them. If you can’t wait, download the class from the SVN repository at Codeplex. The SymmetricHelper class is full of comments, read them!



There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.


2sic Daniel Mettler (124)
Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (22)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (203)
Chris Paterra (55)
Clinton Patterson (28)
Cuong Dang (21)
Daniel Bartholomew (2)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (6)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (270)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (52)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (37)
Will Strohl (163)
William Severance (5)
Try Evoq
For Free
Start Free Trial
a Demo
See Evoq Live
Need More Information?