V5623. OWASP. Possible open redirect vulnerability. Potentially tainted data is used in the URL.
The analyzer detected redirection from one resource to another. The URL for redirection is received from an external source and wasn't checked. A compromised URL may lead to an open redirect vulnerability.
Open redirect vulnerabilities belong to OWASP Top 10 Application Security Risks 2021: A1:2021- Broken Access Control.
Look at the example:
void Foo()
{
string url = Request.QueryString["redirectUrl"];
....
if (loggedInSuccessfully)
Response.Redirect(url);
}
In this example, 'url' may contain tainted data since it is obtained from an external resource. The data is used to redirect a client to the address written in 'url'. This logic of the program makes it easier to steal the user's data via phishing attacks.
An example of a compromised URL:
URL: http://mySite.com/login?redirectUrl=http://attacker.com/
The possible scenario of an attack:
- a user receives a link from an attacker and follows it;
- they go to a website they trust. The website requests authorization. After they enter login and password, they are redirected to a fake website. The fake website looks exactly like the original one;
- the phishing website also requests login and password. The user thinks that they made a typo and logs in again;
- the attacker who created this website gets the data. After that the user is redirected to the original website. The user may not even notice their data was stolen.
The main danger of the open redirect vulnerability is that the link received from the attacker actually redirects to a website the user trusts. So, the victim is most likely to follow it.
To protect from open redirect, check that you're redirected to a local address or an address from a white list.
Let's look at how we can fight an open redirect vulnerability. Using the 'IsLocalUrl' method from the 'Microsoft.AspNet.Membership.OpenAuth' namespace, you can check if the address is local:
void Foo()
{
string url = Request.QueryString["url"];
if (OpenAuth.IsLocalUrl(url))
Response.Redirect(url);
else
throw ....;
}
The code checks whether the received URL is local. If it is local, the link opens.
The analyzer also considers the parameters of methods available from other builds as sources of unsafe data. You can read more about it in the article: "Why you should check values of public methods' parameters".
Look at the example:
public class UriHelper
{
public void ProcessUrlQuery(HttpResponse resp, string url)
{
RedirectUrl(url, resp);
}
private void RedirectUrl(string redirectUrl, HttpResponse resp)
{
resp.Redirect(redirectUrl);
}
}
The analyzer detects that unsafe data from the 'url' parameter is passed to the 'RedirectUrl' method. Inside this method, the data is not checked and used for redirection.
You can protect from it the same way described above.
This diagnostic is classified as:
|