Saturday, 9 March 2013

Is this a safe way to do a .NET Server Redirects? (and deal with A10: Unvalidated Redirects and Forwards)

The objective is to prevent A10: Unvalidated Redirects and Forwards in TeamMentor (version 3.3 had an issue with it)

Here is the code that does the redirection from user import (LoginReferer parameter):


Here is the Unit test that checks for redirects that should occur:


Here is the Unit Test that checks for redirects that should fail:


A test to write next is to use FuzzDB strings (or maybe some from ESAPI or ESTAPI) in order to increase coverage.

On that topic, is there a list of Use Cases that this function should pass? (in order to make it as 'secure'?)

Note: the source files are on TeamMentor’s public GitHub repository