A Web Application that redirects to a specified URL, which is mentioned in the Query String or in a form data can be tampered with by a malicious URLs request. This type of tampered request is called an open redirection attack.
This article explains how the hacker can tamper with the Application control, using a malicious URLs request and how can we prevent such redirection attack from our Web Applications. To prov, how the hacker can redirect from the actual request to the malicious URLs, let's go with either MVC Application or any other Application with Web API services.
To understand the attack, let's say you have one MVC Application called"www.abcdefghijklmnopqrstuvwxyz.com"with a beautiful home page. The attacker will observe your Web Application end to end and he/she will create his/her own phishing Web Application with few very similar pages (for instance login page and home page etc.) with no difference, let's say the phishing Web Application's name is "www.abcdefghijklmopqrstuvwxyz.com". If you observe the hacker's Web Application name, here 'n' is missing. Unless you observe carefully, it is very difficult to notice the difference.
In the actual Application, without the login, when we attempt to visit a controller action that has the [Authorize] attribute, it will redirect to the login view with URL "http://abcdefghijklmnopqrstuvwxyz.com/Account/LogOn". If you successfully logged in, it will redirect to the requested view, even if the controller's action method has [Authorize] attribute. As we know that, here the URL for the actual Web Application's log in page is "http://abcdefghijklmnopqrstuvwxyz.com/Account/LogOn". If we don't validate for the incoming request or the ReturnUrl, the attacker can modify it to perform redirection attack.
http://abcdefghijklmnopqrstuvwxyz.com/Account/LogOn?returnUrl=http://abcdefghijklmopqrstuvwxyz.com/Account/LogOn
If you observe the URL, mentioned above, it returns URL pointing to abcdefghijklmopqrstuvwxyz.com, where “n” is missing from the word abcdefghijklmopqrstuvwxyz. In this example, this is a domain that the attacker controls. When we access the link, mentioned above, it will redirect to the attacker's login page. After retyping the user credentials and submitting the form, the entered credential details will be saved in the attacker's database.
![credential]()
MVC Application's Log In action of AccountController Controller is exhibited.
![code]()
If you observe the code block, mentioned above, we are not validating for "returnUrl" parameter, which causes the redirection attack.
Prevention techniques
We can prevent such types of redirection attacks in multiple ways, as shown below:
Technique #1
If you are using MVC Application with its version > 3, use Uri.IsLocalUri
![code]()
If you are still using MVC with its version <=3, you can prevent such injection, using IsUrlLocalToHost method:
![code]()
Technique #2
We can write our own custom method to validate for incoming URL, as shown below:
![code]()
Technique #3
The best idea is to restrict from the external site's access, using CORS. You can add the code, given below, in the Startup.cs of your MVC Application.
![code]()
In MVC controller, you can add the attribute, as shown below:
![code]()
If you observe the code, mentioned above, http://www.test.com and http://www.ex.com are two external sites which the Application is going to allow. Except these two external sites, if we try with other external sites, the Application will not allow it. Instead, Application will throw an error.
Technique #4
If you are working with Web API, you can follow the steps, given below, to configure and apply CORS.
Step #1:
In your WebApiConfig.cs file, you have to write the highlighted code, given below:
![code]()
Step #2:
In your controller file, you have to add a namespace, as shown below:
![code]()
Step #3:
![code]()
If you observe the code, mentioned above, http://www.sample.com and http://www.exaple.com are the two external sites which the Application is going to allow. Except these two external sites, if we try with other external sites, the Application will not allow it. Instead, Application will throw an error.