Catch the Security Flaw #3
Quite a few web applications encrypt query string values. This is generally done as an added measure to prevent unauthorized access. Since the end user cannot chose a value and then encrypt it, changing parameters becomes difficult. But encryption is not a panacea. See if you can spot this bug.
The code behind file looks like this:-
Implementation for the Encrypt and Decrypt methods is not shown. They are using the DES algorithm. There is no flaw in the usage or key management.
The end user can upload files and the screen look like this:-
On clicking Upload, the file gets uploaded and a message is shown. Note the query string values. The HTML source is also shown.
Do you think the code or design is flawed in any way? Can this be exploited?