What Is an Open Redirection Vulnerability & How to Prevent it?

Open Redirection

An Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page.

How I identify is my application vulnerable or not?

  1. If your application redirects to URL which is directly given by user that’s specified via the request such as query string or form data.
  2. The redirection is performed without checking if the URL is a local URL.

Open Redirection Vulnerability
Open Redirection Vulnerability

Below is the code for that

[HttpPost]
        [AllowAnonymous]
        public async Task<IActionResult> Login(LoginViewModel model,string returnUrl)
        {
            if (ModelState.IsValid)
            {
                var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
                if (result.Succeeded)
                {
                    if(!string.IsNullOrEmpty(returnUrl))
                    return Redirect(returnUrl);
                    else
                    {
                        return RedirectToAction("List", "Home");
                    }
                    //return RedirectToAction("List", "Home");
                }

                ModelState.AddModelError("", "Invalid Login");           
            }
            return View();
        }

In this code we pass this URL directly to the Redirect we never check that URL is local or not, it means that our application is vulnerable to open redirect attacks.

https://ourwebsite.com/account/login?returnURL=http://hackerwebsite.com/account/login

See above URL in which the first part is our website and in return, URL is given by hacker which is malicious or hackers site which steals our data.

If you see the first part it looks like your website and generally, we don’t look second part hacker easily redirect us to their site.

To Prevent Open Redirect Attacks

LocalRedirect In Asp.Net Core

Rather than using Redirect use LocalRedirect so when the user tries to add another domain URL it will prevent and throws an error.

LocalRedirect In Asp.net core
LocalRedirect In Asp.net core

Now see the above image we use Local redirect in our code. When we login I pass return URL as =https://google.com which is not local and our complete URL as below

https://localhost:44387/Account/Login?ReturnUrl=https://google.com

so it will throw an error like below

Exception Message: The supplied URL is not local. A URL with an absolute path is considered local if it does not have a host/authority part. URLs using virtual paths (‘~/’) are also local

As we handle error globally so that’s why such page and message occurs.

Url.IsLocalUrl In Asp.Net Core

If you want to use Redirects only then you can check URL first and then perform redirection. Code for checking the URL Is below

Url.IsLocalUrl(returnUrl)

And our application code becomes

  [HttpPost]
        [AllowAnonymous]
        public async Task<IActionResult> Login(LoginViewModel model,string returnUrl)
        {
            if (ModelState.IsValid)
            {
                var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
                if (result.Succeeded)
                {
                    if(!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
                    return Redirect(returnUrl);
                    else
                    {
                        return RedirectToAction("List", "Home");
                    }
                    //return RedirectToAction("List", "Home");
                }

                ModelState.AddModelError("", "Invalid Login");           
            }
            return View();
        }

Url.IsLocalUrl in asp net core
Url.IsLocalUrl in asp net core

Sagar Jaybhay, from Maharashtra, India, is currently a Senior Software Developer. He has continuously grown in the roles that he has held in the more than seven years he has been with this company. Sagar Jaybhay is an excellent team member and prides himself on his work contributions to his team and company as a whole.

Related posts