Link Search Menu Expand Document

Open Redirect in .NET

Prevention

If the list of permitted URLs for redirection is known, implement an allow list of such URLs.

string url = request.QueryString["url"];
var allowedUrl = db.AllowableUrls.SingleOrDefault(u => u.Url == url);
if (allowedUrl == null){
   // Return an error message
}
Redirect(allowedUrl.Url);

If the redirection is local to the application, ensure that the URL used for redirection/forward is a relative URL.

The ASP.NET MVC 3 template includes the Url.IsLocalUrl method to protect against open redirection attacks.

string url = request.QueryString["url"];
if(Url.IsLocalUrl(url)){
  Response.Redirect(url);
}

To protect against open redirection attacks against ASP.NET 1.0 and 2 applications, add a IsLocalUrl() method and validate the user-supplied URL parameter.

public bool IsLocalUrl(string url) {
   return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
       RequestContext.HttpContext.Request, 
       url
   );
}

References

Microsoft - Preventing Open Redirection Attacks OWASP - Unvalidated Redirect and Forwards MITRE - CWE 601