Link Search Menu Expand Document
×
Topics

Open Redirect in .NET

Play SecureFlagPlay .NET Labs on this vulnerability with SecureFlag!

Prevention

If the list of permitted URLs for redirection is known, implement an allow list of such URLs.

string url = request.QueryString["url"];
var allowedUrl = db.AllowableUrls.SingleOrDefault(u => u.Url == url);
if (allowedUrl == null){
   // Return an error message
}
Redirect(allowedUrl.Url);

If the redirection is local to the application, ensure that the URL used for redirection/forward is a relative URL.

The ASP.NET MVC 3 template includes the Url.IsLocalUrl method to protect against open redirection attacks.

string url = request.QueryString["url"];
if(Url.IsLocalUrl(url)){
  Response.Redirect(url);
}

To protect against open redirection attacks against ASP.NET 1.0 and 2 applications, add a IsLocalUrl() method and validate the user-supplied URL parameter.

public bool IsLocalUrl(string url) {
   return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
       RequestContext.HttpContext.Request, 
       url
   );
}

References

Microsoft - Preventing Open Redirection Attacks OWASP - Unvalidated Redirect and Forwards MITRE - CWE 601