Saturday, 9 March 2013

Is this a safe way to do a .NET Server Redirects? (and deal with A10: Unvalidated Redirects and Forwards)

The objective is to prevent A10: Unvalidated Redirects and Forwards in TeamMentor (version 3.3 had an issue with it)

Here is the code that does the redirection from user import (LoginReferer parameter):


Here is the Unit test that checks for redirects that should occur:


Here is the Unit Test that checks for redirects that should fail:


A test to write next is to use FuzzDB strings (or maybe some from ESAPI or ESTAPI) in order to increase coverage.

On that topic, is there a list of Use Cases that this function should pass? (in order to make it as 'secure'?)

Note: the source files are on TeamMentor’s public GitHub repository

1 comment:

Arvind said...

This looks like it cuts out all third party sites and forces it to relative URLs. So that's good.

The only thing I'd be concerned about is a "malicious relative URL". As in, if a vuln is found elsewhere on the site say via SQLi and a page uploaded somewhere. And then this URL tweaked to point users to that...

Is whitelisting of the exact URLs you need becoming too big a pain?