To prevent open redirection in an ASP.NET MVC 5 application
The user is on some webpage of website /
, say overview page /Home/Overview
and clicks login
After login, the server returns some top-secret user specific data and redirects to the same page from where the user initiated login request.
I need to make sure that the server do not stupidly redirect to a hacker's website after login and also pass top-secret user specific data.
The values of
_Controller.Request.UrlReferrer
_Controller.Request.UrlReferrer.AbsoluteUri
_Controller.Request.Url.AbsoluteUri
_Controller.Url.IsLocalUrl(returnUrl)
respectively are:
{https://localhost:44300/Home/Overview}
"https://localhost:44300/Home/Overview"
"https://localhost:44300/Account/Login?returnUrl=%2FHome%2FOverview"
false
The value of Url.IsLocalUrl
is false which is logically wrong.
In such case, how do I make sure that the user get safely redirected to /Home/Overview
and not http://blackHatHackerWebsite.com after successful login?
A URL is considered local if it does not have a host / authority part and it has an absolute path. URLs using virtual paths ('~/') are also local.
If those URLs don't include a controller or action method name, then you can provide the missing information through default values on your routes. But if those URLs include an incorrect action or controller name, then ASP.NET MVC will simply return one of the standard HTTP error codes.
The ASP.NET MVC framework includes a flexible URL routing system that enables you to define URL mapping rules within your applications. The routing system has two main purposes: Map incoming URLs to the application and route them so that the right Controller and Action method executes to process them.
Url.IsLocalUrl("/Home/Overview")
is definitely true
. You get false
because it's evaluating Url.IsLocalUrl("%2fHome%2fOverview")
. That is, you returnUrl
is url encoded twice. Try to find where you have an unnecessary encode.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With