經得起原始碼資安弱點掃描的程式設計習慣培養(十七)_OPEN_REDIRECT

pen redirect (OPEN_REDIRECT)
sink: Calling Redirect. This call passes the tainted data,
.......
(The virtual call resolves to System.Web.Mvc.Controller.Redirect(System.String).)

開放式重定向(釣魚攻擊),頁面跳轉過程並未驗證重定向目的網址是否安全。


Before
1
2
3
4
5
6
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    [perform auth logic]

    return this.Redirect(returnUrl);
}

After
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    [perform auth logic]

    if (Url.IsLocalUrl(returnUrl))
    {
        return this.Redirect(returnUrl);
    }
    else
    {
        return RedirectToAction("Index", "Home");
    }
}一

一般來說除了驗證是否為本機路徑(非絕對路徑),以確保攻擊者無法將使用者重新導向到惡意外部網域,也能用以下確認是相對路徑(不是絕對路徑)方式來加強驗證
After2.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Uri targetUri = null;

if (Uri.TryCreate(Request.QueryString["ReturnUrl"], UriKind.Relative, out targetUri))
{
    Response.Redirect(targetUri.ToString());
}
else
{
    Response.Redirect("~/default.aspx");
}                    


Ref:
HTTP request redirections should not be open to forging attacks
SEC0109 - UNVALIDATED MVC REDIRECT

https://learn.microsoft.com/zh-tw/aspnet/mvc/overview/security/preventing-open-redirection-attacks
https://www.veracode.com/security/dotnet/cwe-601
https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect__net.html
https://csharp-video-tutorials.blogspot.com/2019/06/open-redirect-vulnerability-example.html

留言

這個網誌中的熱門文章

何謂淨重(Net Weight)、皮重(Tare Weight)與毛重(Gross Weight)

Architecture(架構) 和 Framework(框架) 有何不同?_軟體設計前的事前規劃的藍圖概念

經得起原始碼資安弱點掃描的程式設計習慣培養(五)_Missing HSTS Header