Preventing an 'Open Redirect' exploit on C# Web Forms Application -
the code looks following- apparent offending code:
readonly regex alphanumericregex = new regex("^[a-za-z0-9_]*$"); private const string username = "bitzleon"; protected void page_preinit(object sender, eventargs e) { if (httpcontext.current.request.querystring.get("userid") == null) { uribuilder uribuilder = new uribuilder(request.url); namevaluecollection query = httputility.parsequerystring(uribuilder.query); query["userid"] = username; uribuilder.query = query.tostring(); if (alphanumericregex.ismatch(query["userid"]) && islocalurl(uribuilder.tostring())) { response.redirect(uribuilder.tostring()); } } }
the line response.redirect(uribuilder.tostring());
throwing error in veracode scans- i'm running 2 checks ensure redirect valid , internal.
firstly, query needs alpha-numeric- regex takes care of that- , secondly, url redirecting local only. method using validate url follows:
public bool islocalurl(string url) { if (string.isnullorempty(url)) { return false; } uri absoluteuri; if (uri.trycreate(url, urikind.absolute, out absoluteuri)) { return string.equals(request.url.host, absoluteuri.host, stringcomparison.ordinalignorecase); } bool islocal = !url.startswith("http:", stringcomparison.ordinalignorecase) && !url.startswith("https:", stringcomparison.ordinalignorecase) && uri.iswellformeduristring(url, urikind.relative); return islocal; }
but veracode still doesn't think these fixes enough ensure hardcoded redirect validated sufficiently.
this page take me when showing examples of how attack works.
i'd assume false positive, still affecting score nevertheless.
Comments
Post a Comment