Secure .Net Core applications from the Open Redirect attacks: .Net Core security Part IV

.Net Core, .Net Core 2.1, .Net Core security, ASP .Net Core, ASP .Net Core 2.0, Asp .Net Core 2.1, asp.netcore2.0, Core 2.0, Open redirect attacks in .Net core, Security in .Net Core, Visual Studio 2017 2 Minutes

part-7

You can find my all .Net core posts here.

In these series of posts, we will see how to secure your .Net Core applications.

In this post, we will see how to secure your .Net Core application from the Open Redirect attack.

What is Open Redirection attack?

Open Redirection attack is a URL Redirection. An Open Redirection attack is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack.

In simple words:

  • For example, you visited a site’s page which you can not access without Logging in. ie  http://www.exampleposts.com/FeaturedPosts
  • So the site will redirect you to the login page first
  • Once you Login, the site will create a redirect URL which looks somewhat similar to this: http://www.exampleposts.com/FeaturedPosts/Login?returnUrl=www.exapleposts.com/FeaturedPosts( Notice exapleposts.com instead of exampleposts.com)
  • As you can see above, a malicious site can tamper the URL in between and the URL will be changed
  • This will redirect the user to a malicious site which looks almost similar to original site
  • For example, the user gets an email with a malicious link(as explained above) to login to a site and when the user logins, the user will be redirected to the malicious site
  • Malicious site may ask user to add the credentials again by showing Incorrect password message and when the user enters the credentials again, hacker will have all the important data

How to prevent this?

  • To prevent this, we need to check the URL once the redirect occurs whether the URL is local or not
  • If a controller redirects to any another page, we need to check whether the site is local URL or a malicious site

How to prevent this in .Net Core

There are 2 ways in .Net Core to prevent this attack

Using IsLocalUrl

  • This method is under the namespace Microsoft.AspNetCore.Mvc and it returns a value that indicates whether the URL is local or not
  • It returns true for local URLs and false for non-local

Sample:


private IActionResult UrlRedirect(string returnUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{

return RedirectToAction("Error", "Home");

//// Also Log returnUrl so that we can have more details
}
}

Using LocalRedirect

  • This is a helper method and it is under the namespace Microsoft.AspNetCore.Mvc
  • LocalRedirect will throw an exception if non-local(malicious) site is present in the URL
  • If the URL is local then it behaves just like a Redirect method

Sample:


public IActionResult UrlRedirect(string redirectUrl)
{
return LocalRedirect(redirectUrl);
}

Hope it helps.

 

Published by Neel

Senior Software Engineer at Coolblue | Tech Blogger | Top 4% Overall on StackOverflow

Published

3 thoughts on “Secure .Net Core applications from the Open Redirect attacks: .Net Core security Part IV

Leave a comment