What is Open Redirect Vulnerability How to prevent open redirect attacks in asp.net core
Text version of the video
Slides
ASP.NET Core Text Articles & Slides
ASP.NET Core Tutorial
Angular, JavaScript, jQuery, Dot Net & SQL Playlists
Application Vulnerable to Open Redirect Attacks
Your application is vulnerable to open redirect attacks if the following 2 conditions are true
Your application redirects to a URL that's specified via the request such as the querystring or form data
The redirection is performed without checking if the URL is a local URL
What is Open Redirect Vulnerability
Most of the web applications redirect users to a login page when they access resources that require authentication. For example, to see the list of all orders, you must be already logged in. If you are not logged in and try to see the list of orders, by navigating to you will be redirected to the login page.
The redirection includes a returnUrl querystring parameter so that the user can be returned to the originally requested URL after they have successfully logged in.
A malicious user can use this returnUrl querystring parameter to initiate an open redirect attack.
Open Redirect Vulnerability Example
The user of your application is tricked into clicking a link in an email where the returnUrl is set to the attackers website.
(the returnUrl is "exampie.com", instead of "l" there is an "i")
The user logs in successfully on the authentic site and he is then redirected to the attackers website (
The login page of the attackers website looks exactly like the authentic site.
The user logs in again on the attackers website, thinking that the first login attempt was unsuccessful
The user is then redirected back to the authentic site.
During this entire process, the user does not even know his credentials are stolen.
Prevent open redirect attacks in ASP.NET Core
We have an open redirect vulnerability beacuse, the URL is supplied to the application from the querystring. We are simply redirecting to that URL without any validation which is what is making our application vulnerable to open redirect attacks.
To prevent open redirect attacks, check if the provided URL is a local URL or you are only redirecting to known trusted websites.
ASP.NET Core has built-in support for local redirection. Simply use the LocalRedirect() method. If a non-local URL is specified an exception is thrown.
public IActionResult Login(string returnUrl)
{
return LocalRedirect(returnUrl);
}
To check if the provided URL is a local URL, use IsLocalUrl() method.
public IActionResult Login(string returnUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("index", "home");
}
}
0 Comments