Open Redirection An Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page. How I identify is my application vulnerable or not? If your application redirects to URL which is directly given by user that’s specified via the request such as query string or form data. The redirection is performed without checking if the URL is a local URL. Open Redirection Vulnerability.png Below is the code for that Code: [HttpPost] [AllowAnonymous] public async Task<IActionResult> Login(LoginViewModel model,string returnUrl) { if (ModelState.IsValid) { var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false); if (result.Succeeded) { if(!string.IsNullOrEmpty(returnUrl)) return Redirect(returnUrl); else { return RedirectToAction("List", "Home"); } //return RedirectToAction("List", "Home"); } ModelState.AddModelError("", "Invalid Login"); } return View(); } In this code we pass this URL directly to the Redirect we never check that URL is local or not, it means that our application is vulnerable to open redirect attacks. https://ourwebsite.com/account/login?returnURL=http://hackerwebsite.com/account/login See above URL in which the first part is our website and in return, URL is given by hacker which is malicious or hackers site which steals our data. If you see the first part it looks like your website and generally, we don’t look second part hacker easily redirect us to their site. To Prevent Open Redirect Attacks LocalRedirect In Asp.Net Core Rather than using Redirect use LocalRedirect so when the user tries to add another domain URL it will prevent and throws an error. Now see the above image we use Local redirect in our code. When we login I pass return URL as =https://google.com which is not local and our complete URL as below https://localhost:44387/Account/Login?ReturnUrl=https://google.com LocalRedirect In Asp.net core.png so it will throw an error like below Exception Message: The supplied URL is not local. A URL with an absolute path is considered local if it does not have a host/authority part. URLs using virtual paths (‘~/’) are also local As we handle error globally so that’s why such page and message occurs. In Asp.Net Core If you want to use Redirects only then you can check URL first and then perform redirection. Code for checking the URL Is below Code: Url.IsLocalUrl(returnUrl) And our application code becomes Code: [HttpPost] [AllowAnonymous] public async Task<IActionResult> Login(LoginViewModel model,string returnUrl) { if (ModelState.IsValid) { var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false); if (result.Succeeded) { if(!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl)) return Redirect(returnUrl); else { return RedirectToAction("List", "Home"); } //return RedirectToAction("List", "Home"); } ModelState.AddModelError("", "Invalid Login"); } return View(); }