Could ASP.NET MVC prevent Open Redirect security issue

Question

I read someone asp.net mvc code as :

[HttpGet]
public ActionResult Move(string url)
{
    return Redirect(HttpUtility.UrlEnocode(url));
}

I am afraid the code above could cause the Open Redirect security problem, because the "url" is from user's input and never be filtered/protected....

So the url could be some "www.hackersite.com", that will be dangerous...

But someone told me that asp.net mvc framework could prevent the issue through the asp.net mvc framework. I am not sure how to do that ....?

Answer 1

It doesn't matter which technology you're exactly using. For preventing Open Redirection you'll simply have to follow the OWASP guidelines. Normally there are two different cases in Site Redirection:

1. if you should redirect the user as part of the process. (As in after successful login redirect to Home.aspx).
2. if there's link in the on the Website that the user can change and click on (As in a facebook post where someone posted a link to some external website).

In both cases the mitigation could be different.

For case #1: You'll have to make sure that the Url is a LocalUrl aka. in the same web app's domain. Otherwise redirect home to another Page ex: your Index.

if (Url.IsLocalUrl(returnPath))
    return Redirect(returnPath);
else
    return RedirectToAction("Index", "Home"); 

For case #2:

You may need to check first if the URL is local or not. If it's not you'll have to redirect the user to a webpage and ask for his confirmation that he will be redirected to another domain.

You can find more info here: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet