ansaurus

Question

Answer 1

A:

This seems to be an odd question, and it should not be a concern if you are in full control over the redirect process. If for some reason you are allowing input from the user to be actively involved in a redirect (as in the code below)

Response.Redirect(someUserInput);

Then, yes, a user could have your code send them off to who knows where. But if all you are ever doing is

Response.Redirect("/somepage.aspx")

Then those redirects will always be on your site.

Like I said, it seems to be an odd question. The more prominent concerns in terms of user input are typically SQL Injection attacks and cross-site scripting. I've not really heard about "malicious redirects."

Anthony Pegram 2010-05-29 22:02:33

If I understand the Q, he's got a page that accepts a ReturnUrl query string param. When the page is done, he does a `Response.Redirect` to that URL. Usually, _his_ code is what constructs the ReturnUrl param, but what if some other code does, instead.

John Saunders 2010-05-29 22:08:58

@John, ahh. I like the solution you present.

Anthony Pegram 2010-05-29 22:19:38

Answer 2

+2 A:

I hadn't thought of this before, but how about using an encrypted version of the URL in the query string parameter?

Alternatively, you could keep a list of the actual URLs in some persistent store (persistent for a couple of hours, maybe), and in the query string, just include the index into the persistent store of URLs. Since You'd be the only code manipulating this persistent, server-side store, the worst a malicious user could do would be to redirect to a different valid URL.

John Saunders 2010-05-29 22:11:10

Interesting but that sounds like it COULD be more work then checking if the url starts with [A-z]:// and checking if its my site, another site and if its a relative or absolute path. I am thinking there may be a way with URI to check if the domain has http and if its my downmain or not. Last time i tried i didnt see any obvious solution. Maybe i should just unforced absolute paths (but not urls) and simply check if it starts with '/'. +1 for good and interesting answer.

acidzombie24 2010-05-29 23:02:12

I didn't want to do pattern matching on the URL because of things like IP addresses, load balancers, partner sites, etc. Instead, I reversed it with the idea that I know which URLs I redirect to (in theory), and just want to ensure that it's one of those URLs.

John Saunders 2010-05-29 23:06:05

Answer 3

+1 A:

How about, if the redirectUrl contains "://" (which includes http://, https://, ftp://, etc.) then it must also start with "http://mysite.com". If it does not contain "://" then it is relative and should not be a problem. Something like this:

if (!(redirectUrl.Contains("://") ^ redirectUrl.IndexOf("http://mysite.com") == 0))
{
    Response.Redirect(redirectUrl);
}

James Lawruk 2010-05-30 04:58:17

i like it. I also dont have to worry about ports and other crazy stuff. cool, i think i'll use this. NOTE: The only problem with the solution is it doesnt work with subdomain but i happen to not be using any ;).

acidzombie24 2010-05-30 05:32:54

Great! FYI: I changed it slightly, changed Contains() to IndexOf()

James Lawruk 2010-05-30 20:38:55

ansaurus

tags:

views:

answers:

Check malicious Redirect URL in ASP.NET

related questions