Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
854 views
in Technique[技术] by (71.8m points)

asp.net - How to prevent open redirection attacks?

what is the best approach to prevent open redirection attacks.Currently i am developing asp.net website.I want to make sure not to redirect the users to external links up on successful login?

Edit: Is it possible implement the solution without changing the existing code?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I'm assuming you're using the login control. You should hook-up a check that the ReturnUrl parameter is a local url (and not one pointing to a different domain). The loggedin event would be a good place to do something like this:

void OnLoggedIn(object sender, EventArgs e)
{
    string returnto = Request.QueryString["ReturnUrl"];
    if (returnto != "" and isLocalUrl(returnto)) Response.Redirect(returnto);
}

where you can use the definition of IsLocalUrl given here

private bool IsLocalUrl(string url)
{
    if (string.IsNullOrEmpty(url))
    {
        return false;
    }

    Uri absoluteUri;
    if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri))
    {
        return String.Equals(this.Request.Url.Host, absoluteUri.Host, 
                    StringComparison.OrdinalIgnoreCase);
    }
    else
    {
        bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
            && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
            && Uri.IsWellFormedUriString(url, UriKind.Relative);
        return isLocal;
    }
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...