santosh asp.net tutorial

Any web application that redirects to a URL that is specified via the request, such as the query string or form data, can potentially be tampered with to redirect users to an external malicious URL is called as Open Redirection attack.

This issue is fixed from MVC 3 Internet project template. Microsoft provides option to fix this for MVC 1 and 2 applications also.

Solution:

Below code is taken from the sample MVC application created with Internet project template. Here you can see that all theURLare redirected by validating as local URL. MVC provides URL helper with “IsLocalUrl” method to validate url below to local application URLor external URL. Using this method you can avoid Open Redirection attack.

Controller:

    
    publicActionResult Login(LoginModel model, string returnUrl)
        {
            if (ModelState.IsValid &&WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }

            // If we got this far, something failed, redisplay form
            ModelState.AddModelError("", "The user name or password provided is incorrect.");
            return View(model);
        }

    privateActionResult RedirectToLocal(string returnUrl)
        {
            if (Url.IsLocalUrl(returnUrl))
            {
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }