What Is an Open Redirection Vulnerability & How to Prevent it in asp.net co?

Open Redirection
An Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page.

How I identify is my application vulnerable or not?

1. If your application redirects to URL which is directly given by user that’s specified via the request such as query string or form data.
2. The redirection is performed without checking if the URL is a local URL.

Open Redirection Vulnerability.png

Below is the code for that

Code:

[HttpPost]
        [AllowAnonymous]
        public async Task<IActionResult> Login(LoginViewModel model,string returnUrl)
        {
            if (ModelState.IsValid)
            {
                var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
                if (result.Succeeded)
                {
                    if(!string.IsNullOrEmpty(returnUrl))
                    return Redirect(returnUrl);
                    else
                    {
                        return RedirectToAction("List", "Home");
                    }
                    //return RedirectToAction("List", "Home");
                }

                ModelState.AddModelError("", "Invalid Login");           
            }
            return View();
        }

In this code we pass this URL directly to the Redirect we never check that URL is local or not, it means that our application is vulnerable to open redirect attacks.

https://ourwebsite.com/account/login?returnURL=http://hackerwebsite.com/account/login



See above URL in which the first part is our website and in return, URL is given by hacker which is malicious or hackers site which steals our data.

If you see the first part it looks like your website and generally, we don’t look second part hacker easily redirect us to their site.



To Prevent Open Redirect Attacks


LocalRedirect In Asp.Net Core
Rather than using Redirect use LocalRedirect so when the user tries to add another domain URL it will prevent and throws an error.



Now see the above image we use Local redirect in our code. When we login I pass return URL as =https://google.com which is not local and our complete URL as below

https://localhost:44387/Account/Login?ReturnUrl=https://google.com

LocalRedirect In Asp.net core.png

so it will throw an error like below

Exception Message: The supplied URL is not local. A URL with an absolute path is considered local if it does not have a host/authority part. URLs using virtual paths (‘~/’) are also local

As we handle error globally so that’s why such page and message occurs.

In Asp.Net Core
If you want to use Redirects only then you can check URL first and then perform redirection. Code for checking the URL Is below

Code:

Url.IsLocalUrl(returnUrl)

And our application code becomes

Code:

[HttpPost]
       [AllowAnonymous]
       public async Task<IActionResult> Login(LoginViewModel model,string returnUrl)
       {
           if (ModelState.IsValid)
           {
               var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
               if (result.Succeeded)
               {
                   if(!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
                   return Redirect(returnUrl);
                   else
                   {
                       return RedirectToAction("List", "Home");
                   }
                   //return RedirectToAction("List", "Home");
               }

               ModelState.AddModelError("", "Invalid Login");           
           }
           return View();
       }