經得起原始碼資安弱點掃描的程式設計習慣培養(十七)_OPEN_REDIRECT
pen redirect (OPEN_REDIRECT)
sink: Calling Redirect. This call passes the tainted data,
.......
(The virtual call resolves to System.Web.Mvc.Controller.Redirect(System.String).)
開放式重定向(釣魚攻擊),頁面跳轉過程並未驗證重定向目的網址是否安全。
Before
1 2 3 4 5 6 | public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { [perform auth logic] return this.Redirect(returnUrl); } |
After
1 2 3 4 5 6 7 8 9 10 11 12 13 | public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { [perform auth logic] if (Url.IsLocalUrl(returnUrl)) { return this.Redirect(returnUrl); } else { return RedirectToAction("Index", "Home"); } }一 |
一般來說除了驗證是否為本機路徑(非絕對路徑),以確保攻擊者無法將使用者重新導向到惡意外部網域,也能用以下確認是相對路徑(不是絕對路徑)方式來加強驗證
After2.
1 2 3 4 5 6 7 8 9 10 | Uri targetUri = null; if (Uri.TryCreate(Request.QueryString["ReturnUrl"], UriKind.Relative, out targetUri)) { Response.Redirect(targetUri.ToString()); } else { Response.Redirect("~/default.aspx"); } |
Ref:
HTTP request redirections should not be open to forging attacks
SEC0109 - UNVALIDATED MVC REDIRECT
https://learn.microsoft.com/zh-tw/aspnet/mvc/overview/security/preventing-open-redirection-attacks
https://www.veracode.com/security/dotnet/cwe-601
https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect__net.html
https://csharp-video-tutorials.blogspot.com/2019/06/open-redirect-vulnerability-example.html
留言
張貼留言