1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What Is an Open Redirection Vulnerability & How to Prevent it in asp.net co?

Discussion in 'ASP.NET' started by Sagar Jaybhay, Nov 22, 2019.

Tags:
  1. Sagar Jaybhay

    Sagar Jaybhay New Member

    Joined:
    Jan 28, 2019
    Messages:
    16
    Likes Received:
    7
    Trophy Points:
    3
    Gender:
    Male
    Occupation:
    Sr. Software Developer
    Location:
    Pune
    Home Page:
    Open Redirection
    An Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page.

    How I identify is my application vulnerable or not?
    1. If your application redirects to URL which is directly given by user that’s specified via the request such as query string or form data.
    2. The redirection is performed without checking if the URL is a local URL.
    Open Redirection Vulnerability.png

    Below is the code for that

    Code:
    [HttpPost]
            [AllowAnonymous]
            public async Task<IActionResult> Login(LoginViewModel model,string returnUrl)
            {
                if (ModelState.IsValid)
                {
                    var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
                    if (result.Succeeded)
                    {
                        if(!string.IsNullOrEmpty(returnUrl))
                        return Redirect(returnUrl);
                        else
                        {
                            return RedirectToAction("List", "Home");
                        }
                        //return RedirectToAction("List", "Home");
                    }
    
                    ModelState.AddModelError("", "Invalid Login");           
                }
                return View();
            }

    In this code we pass this URL directly to the Redirect we never check that URL is local or not, it means that our application is vulnerable to open redirect attacks.

    https://ourwebsite.com/account/login?returnURL=http://hackerwebsite.com/account/login



    See above URL in which the first part is our website and in return, URL is given by hacker which is malicious or hackers site which steals our data.

    If you see the first part it looks like your website and generally, we don’t look second part hacker easily redirect us to their site.



    To Prevent Open Redirect Attacks


    LocalRedirect In Asp.Net Core
    Rather than using Redirect use LocalRedirect so when the user tries to add another domain URL it will prevent and throws an error.



    Now see the above image we use Local redirect in our code. When we login I pass return URL as =https://google.com which is not local and our complete URL as below

    https://localhost:44387/Account/Login?ReturnUrl=https://google.com

    LocalRedirect In Asp.net core.png

    so it will throw an error like below

    Exception Message: The supplied URL is not local. A URL with an absolute path is considered local if it does not have a host/authority part. URLs using virtual paths (‘~/’) are also local

    As we handle error globally so that’s why such page and message occurs.

    LocalRedirect In Asp.net core.png Open Redirection Vulnerability.png In Asp.Net Core
    If you want to use Redirects only then you can check URL first and then perform redirection. Code for checking the URL Is below

    Code:
    Url.IsLocalUrl(returnUrl)
    And our application code becomes

    Code:
    [HttpPost]
           [AllowAnonymous]
           public async Task<IActionResult> Login(LoginViewModel model,string returnUrl)
           {
               if (ModelState.IsValid)
               {
                   var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
                   if (result.Succeeded)
                   {
                       if(!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
                       return Redirect(returnUrl);
                       else
                       {
                           return RedirectToAction("List", "Home");
                       }
                       //return RedirectToAction("List", "Home");
                   }
    
                   ModelState.AddModelError("", "Invalid Login");           
               }
               return View();
           }
    
    
     
    shabbir likes this.

Share This Page