54 lines
1.3 KiB
Plaintext
54 lines
1.3 KiB
Plaintext
|
=== How to fix it in ASP.NET
|
||
|
|
|
||
|
|
The following code is vulnerable to open redirection as it constructs a URL with user-controllable data. This URL is then used to redirect the user without being first validated.
|
||
|
|
An attacker can leverage this to manipulate users into performing unwanted redirects.
|
||
|
|
|
||
|
|
[cols="a"]
|
||
|
|
|===
|
||
|
|
h| Non-compliant code example
|
||
|
|
|
|
||
|
|
[source,csharp]
|
||
|
|
----
|
||
|
|
using System.Web;
|
||
|
|
using System.Web.Mvc;
|
||
|
|
|
||
|
|
public class HelloController : Controller
|
||
|
|
{
|
||
|
|
[HttpGet]
|
||
|
|
public void Hello(string url)
|
||
|
|
{
|
||
|
|
Response.Redirect(url);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
h| Compliant solution
|
||
|
|
|
|
||
|
|
[source,csharp]
|
||
|
|
----
|
||
|
|
using System.Web;
|
||
|
|
using System.Web.Mvc;
|
||
|
|
|
||
|
|
public class HelloController : Controller
|
||
|
|
{
|
||
|
|
private readonly string[] allowedUrls = { "/", "/login", "/logout" };
|
||
|
|
|
||
|
|
[HttpGet]
|
||
|
|
public void Hello(string url)
|
||
|
|
|
||
|
|
{
|
||
|
|
if (allowedUrls.Contains(url))
|
||
|
|
{
|
||
|
|
Response.Redirect(url);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|===
|
||
|
|
|
||
|
|
=== How does this work?
|
||
|
|
|
||
|
|
In case the application strictly requires redirecting based on user-controllable data, this could be done using the following alternatives:
|
||
|
|
1. Using an allow-list approach, in case the destination URLs are limited;
|
||
|
|
2. Adding a customized page to which users are redirected, warning about the imminent action and requiring manual authorization to proceed.
|
||
|
|
|