Website security testing shows Response.Redirect as being vulnerable to an attack

Question

After scanning my web application with Acunetix, the results showed 9 instances of "HTML Form found in redirect page". The HTTP headers to reproduce the test attack are as follows:

Request
GET /entities/add HTTP/1.1
Pragma: no-cache
Referer: https://test.mysite.com/entities/view
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: __AntiXsrfToken=97c0a6bb164d4121b07327df405f9db4; mysitecookie=
Host: test.mysite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

Response
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /login
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: mysitecookie=; expires=Mon, 11-Oct-1999 22:00:00 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 24 Sep 2013 10:38:12 GMT
Content-Length: 9447

The Location: /login part of the Response led me to believe that if I ended the response after redirecting the user to the login page, the vulnerability would be plugged. So I changed all instances of this code:

protected void Page_Load(object sender, EventArgs e)
{
    if (!HttpContext.Current.User.Identity.IsAuthenticated)
    {
        Response.Redirect("/login");
    }
    else
    {
        // etc
    }
}

to:

protected void Page_Load(object sender, EventArgs e)
{
    if (!HttpContext.Current.User.Identity.IsAuthenticated)
    {
        Response.Redirect("/login", true);
    }
    else
    {
        // etc
    }
}

What could be the reason that it's still showing as vulnerable?

Answer 1

The flag is being raised because there is an HTML form in the page, along with a redirect in the response header. I assume this is a vulnerability because it can give an unauthenticated user some insight into how your application works. What you can do to prevent this flag from being raised is to CLEAR your response before redirecting.

Try the following:

protected void Page_Load(object sender, EventArgs e)
{
    if (!HttpContext.Current.User.Identity.IsAuthenticated)
    {
        Response.Clear();
        Response.Redirect("/login", true); // btw true is the default...
    }
    else
    {
        // etc
    }
}

If you're setting Session variables, cookies, etc. then you'll need to tweak that a bit so that you're sure everything makes it into the response e.g. use the endResponse=false, Response.End(); return; etc.

http://msdn.microsoft.com/en-us/library/system.web.httpresponse.clear.aspx