ASP.NET MVC可以防止Open Redirect安全问题(Could ASP.NET MVC prevent Open Redirect security issue)

ASP.NET MVC可以防止Open Redirect安全问题(Could ASP.NET MVC prevent Open Redirect security issue)

我读了一个asp.net mvc代码，如下所示：

[HttpGet] public ActionResult Move(string url) { return Redirect(HttpUtility.UrlEnocode(url)); }

恐怕上面的代码可能会导致Open Redirect安全问题，因为“url”来自用户的输入，绝不会被过滤/保护....

所以网址可能是“www.hackersite.com”，这将是危险的......

但有人告诉我，asp.net mvc框架可以通过asp.net mvc框架来防止这个问题。 我不知道该怎么做....？

I read someone asp.net mvc code as :

[HttpGet] public ActionResult Move(string url) { return Redirect(HttpUtility.UrlEnocode(url)); }

I am afraid the code above could cause the Open Redirect security problem, because the "url" is from user's input and never be filtered/protected....

So the url could be some "www.hackersite.com", that will be dangerous...

But someone told me that asp.net mvc framework could prevent the issue through the asp.net mvc framework. I am not sure how to do that ....?

最满意答案

您正在使用哪种技术并不重要。 为防止开放式重定向，您只需遵循OWASP指南即可。 通常情况下，网站重定向有两种不同的情况：

如果你应该重定向用户作为过程的一部分。 （如在成功登录后重定向到Home.aspx）。 如果在网站上有链接，用户可以更改并点击（如在Facebook帖子中有人发布链接到某个外部网站）。

在这两种情况下，缓解都可能不同。

对于案例＃1：您必须确保Url是LocalUrl aka。 在同一个网络应用程序的域中。 否则，将其重定向到另一个页面：您的索引。

if (Url.IsLocalUrl(returnPath)) return Redirect(returnUrl); else return RedirectToAction("Index", "Home");

对于案例＃2：

如果URL是本地的，您可能需要先检查。 如果不是，您将不得不将用户重定向到网页并要求他确认他将被重定向到另一个域。

您可以在此处找到更多信息： https ： //www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

It doesn't matter which technology you're exactly using. For preventing Open Redirection you'll simply have to follow the OWASP guidelines. Normally there are two different cases in Site Redirection:

if you should redirect the user as part of the process. (As in after successful login redirect to Home.aspx). if there's link in the on the Website that the user can change and click on (As in a facebook post where someone posted a link to some external website).

In both cases the mitigation could be different.

For case #1: You'll have to make sure that the Url is a LocalUrl aka. in the same web app's domain. Otherwise redirect home to another Page ex: your Index.

if (Url.IsLocalUrl(returnPath)) return Redirect(returnPath); else return RedirectToAction("Index", "Home");

For case #2:

You may need to check first if the URL is local or not. If it's not you'll have to redirect the user to a webpage and ask for his confirmation that he will be redirected to another domain.

You can find more info here: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet