Support us .Net Basics C# SQL ASP.NET ADO.NET MVC Slides C# Programs Subscribe Buy DVD

Open redirect vulnerability example

Suggested Videos
Part 70 - Implementing login functionality in asp.net core | Text | Slides
Part 71 - Authorization in ASP.NET Core | Text | Slides
Part 72 - Redirect user to original url after login in asp.net core | Text | Slides

In this video we will discuss
  • What is Open Redirect Vulnerability 
  • How to prevent open redirect attacks in asp.net core

Application Vulnerable to Open Redirect Attacks

Your application is vulnerable to open redirect attacks if the following 2 conditions are true
  1. Your application redirects to a URL that's specified via the request such as the querystring or form data
  2. The redirection is performed without checking if the URL is a local URL

What is Open Redirect Vulnerability 

Most of the web applications redirect users to a login page when they access resources that require authentication. For example, to see the list of all orders, you must be already logged in. If you are not logged in and try to see the list of orders, by navigating to http://example.com/orders/list, you will be redirected to the login page. 

The redirection includes a returnUrl query string parameter so that the user can be returned to the originally requested URL after they have successfully logged in. 
http://example.com/Account/Login?ReturnUrl=/orders/list

A malicious user can use this returnUrl query string parameter to initiate an open redirect attack.

Open Redirect Vulnerability Example
  • The user of your application is tricked into clicking a link in an email where the returnUrl is set to the attackers website.

    http://example.com/account/login?returnUrl=http://exampie.com/account/login (the returnUrl is "exampie.com", instead of "l" there is an "i")

  • The user logs in successfully on the authentic site and he is then redirected to the attackers website (http://exampie.com/account/login)
  • The login page of the attackers website looks exactly like the authentic site.
  • The user logs in again on the attackers website, thinking that the first login attempt was unsuccessful
  • The user is then redirected back to the authentic site.
  • During this entire process, the user does not even know his credentials are stolen.
Prevent open redirect attacks in ASP.NET Core

We have an open redirect vulnerability because, the URL is supplied to the application from the query string. We are simply redirecting to that URL without any validation which is what is making our application vulnerable to open redirect attacks.

To prevent open redirect attacks, check if the provided URL is a local URL or you are only redirecting to known trusted websites.

ASP.NET Core has built-in support for local redirection. Simply use the LocalRedirect() method. If a non-local URL is specified an exception is thrown.

public IActionResult Login(string returnUrl)
{
    return LocalRedirect(returnUrl);
}

To check if the provided URL is a local URL, use IsLocalUrl() method.

public IActionResult Login(string returnUrl)
{
    if (Url.IsLocalUrl(returnUrl))
    {
        return Redirect(returnUrl);
    }
    else
    {
        return RedirectToAction("index", "home");
    }
}

asp.net core tutorial for beginners