ASP.NET MVC可以防止Open Redirect安全问题(Could ASP.NET MVC prevent Open Redirect security issue)

我读了一个 mvc代码,如下所示:

[HttpGet] public ActionResult Move(string url) { return Redirect(HttpUtility.UrlEnocode(url)); }

恐怕上面的代码可能会导致Open Redirect安全问题,因为“url”来自用户的输入,绝不会被过滤/保护....


但有人告诉我, mvc框架可以通过 mvc框架来防止这个问题。 我不知道该怎么做....?

I read someone mvc code as :

[HttpGet] public ActionResult Move(string url) { return Redirect(HttpUtility.UrlEnocode(url)); }

I am afraid the code above could cause the Open Redirect security problem, because the "url" is from user's input and never be filtered/protected....

So the url could be some "", that will be dangerous...

But someone told me that mvc framework could prevent the issue through the mvc framework. I am not sure how to do that ....?


您正在使用哪种技术并不重要。 为防止开放式重定向,您只需遵循OWASP指南即可。 通常情况下,网站重定向有两种不同的情况:

如果你应该重定向用户作为过程的一部分。 (如在成功登录后重定向到Home.aspx)。 如果在网站上有链接,用户可以更改并点击(如在Facebook帖子中有人发布链接到某个外部网站)。


对于案例#1:您必须确保Url是LocalUrl aka。 在同一个网络应用程序的域中。 否则,将其重定向到另一个页面:您的索引。

if (Url.IsLocalUrl(returnPath)) return Redirect(returnUrl); else return RedirectToAction("Index", "Home");


如果URL是本地的,您可能需要先检查。 如果不是,您将不得不将用户重定向到网页并要求他确认他将被重定向到另一个域。

您可以在此处找到更多信息: https : //

It doesn't matter which technology you're exactly using. For preventing Open Redirection you'll simply have to follow the OWASP guidelines. Normally there are two different cases in Site Redirection:

if you should redirect the user as part of the process. (As in after successful login redirect to Home.aspx). if there's link in the on the Website that the user can change and click on (As in a facebook post where someone posted a link to some external website).

In both cases the mitigation could be different.

For case #1: You'll have to make sure that the Url is a LocalUrl aka. in the same web app's domain. Otherwise redirect home to another Page ex: your Index.

if (Url.IsLocalUrl(returnPath)) return Redirect(returnPath); else return RedirectToAction("Index", "Home");

For case #2:

You may need to check first if the URL is local or not. If it's not you'll have to redirect the user to a webpage and ask for his confirmation that he will be redirected to another domain.

You can find more info here: