Ehsan Ghanbari

Experience, DotNet, Solutions

Open redirection attack in asp.net MVC

In the simplest definition, Any web application that redirects to a URL by a request (querystring) can tamper to an external, malicious URL by hackers. This operation is called an open redirection attack. In asp.net MVC, in server side, you can use the following HTML helper to check if the requested URL is local or not:

 

 

  public static bool IsLocalUrl(this HtmlHelper htmlHelper, string url)

        {

            var request = HttpContext.Current.Request;

 

            if (string.IsNullOrEmpty(url))

            {

                return false;

            }

 

            Uri absoluteUri;

            if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri))

            {

                return String.Equals(request.Url.Host, absoluteUri.Host,

                            StringComparison.OrdinalIgnoreCase);

            }

            else

            {

                bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)

                    && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)

                    && Uri.IsWellFormedUriString(url, UriKind.Relative);

                return isLocal;

            }

        }

 

You can create your own function in JavaScript too, but I think server side one is safer!

About Me

Ehsan Ghanbari

Hi! my name is Ehsan. I'm a developer, passionate technologist, and fan of clean code. I'm interested in enterprise and large-scale applications architecture and design patterns and I'm spending a lot of my time on architecture subject. Since 2008, I've been as a developer for companies and organizations and I've been focusing on Microsoft ecosystem all the time. During the&nb Read More

Post Tags
Pending Blog Posts
Strategic design
Factory Pattern
time out pattern in ajax
Selectors in Jquery
Peridic pattern
How to query over Icollection<> of a type with linq
How to use PagedList In asp.net MVC
Domain driven design VS model driven architecture
What's the DDD-lite?
Using Generic type for type casting in F#
comments powered by Disqus