Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?

Tags:

c#

asp.net

asp.net-mvc

owasp

url-redirection

Mission:

To prevent open redirection in an ASP.NET MVC 5 application

The story:

The user is on some webpage of website /, say overview page /Home/Overview and clicks login

After login, the server returns some top-secret user specific data and redirects to the same page from where the user initiated login request.

I need to make sure that the server do not stupidly redirect to a hacker's website after login and also pass top-secret user specific data.

The values of

  • _Controller.Request.UrlReferrer
  • _Controller.Request.UrlReferrer.AbsoluteUri
  • _Controller.Request.Url.AbsoluteUri
  • _Controller.Url.IsLocalUrl(returnUrl)

respectively are:

  • {https://localhost:44300/Home/Overview}
  • "https://localhost:44300/Home/Overview"
  • "https://localhost:44300/Account/Login?returnUrl=%2FHome%2FOverview"
  • false

values for redirection

The value of Url.IsLocalUrl is false which is logically wrong.

In such case, how do I make sure that the user get safely redirected to /Home/Overview and not http://blackHatHackerWebsite.com after successful login?

Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?

like image 877
xameeramir Avatar asked Jan 11 '16 05:01

xameeramir

People also ask

What does local URL mean?

A URL is considered local if it does not have a host / authority part and it has an absolute path. URLs using virtual paths ('~/') are also local.

How does MVC handle wrong URL?

If those URLs don't include a controller or action method name, then you can provide the missing information through default values on your routes. But if those URLs include an incorrect action or controller name, then ASP.NET MVC will simply return one of the standard HTTP error codes.

What is URL in ASP NET MVC?

The ASP.NET MVC framework includes a flexible URL routing system that enables you to define URL mapping rules within your applications. The routing system has two main purposes: Map incoming URLs to the application and route them so that the right Controller and Action method executes to process them.

1 Answers

Url.IsLocalUrl("/Home/Overview") is definitely true. You get false because it's evaluating Url.IsLocalUrl("%2fHome%2fOverview"). That is, you returnUrl is url encoded twice. Try to find where you have an unnecessary encode.

like image 133
Cheng Chen Avatar answered Oct 23 '22 03:10

Cheng Chen
Sign in to Comment

Related questions

Does the sqlite-net async API support dispose?
BlockingCollection that discards old data
Using SendInput to send unicode characters beyond U+FFFF
Unity Container Multiple Implementations of same interface
Specify allowed enum values in a property
Is there any way to use NUnit TestCaseAttribute with ValuesAttribute together?
Custom keyword coloring in Visual Studio 2010+
What is the purpose of this line in HashHelpers.GetPrime?
npoi vertical alignment center
Having trouble serializing NetTopologySuite FeaturesCollection to GeoJSON
Process.Start() significantly slower than executing in console
Roslyn - Create MetadataReference from in-memory assembly
Host Web API as Windows Service using OWIN
How to concat async enumerables?
the most efficient way to secure WCF NetHttpBinding
Feature 'interpolated strings' is not available in C# 5. Please use language version 6 or greater.
Missing Exception List In Visual Studio [duplicate]
Multilingual website using OWIN and asynchronous methods
foreach loop vs. ForEach method - Differences? [duplicate]
What are the groups of four dashes in the .NET reference source code?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!