Google blog article on the dangers of open redirects.
LINK REDIRECTOR HOW TO
Detailed instructions how to implement URL validation is described in Server Side Request Forgery Prevention Cheat Sheet References ¶ Validating and sanitising user-input to determine whether the URL is safe is not a trivial task. Force all redirects to first go through a page notifying users that they are going off of your site, with the destination clearly displayed, and have them click a link to confirm.This should be based on an allow-list approach, rather than a block list.Sanitize input by creating a list of trusted URLs (lists of hosts or a regex).If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.Be careful that this doesn't introduce an enumeration vulnerability where a user could cycle through IDs to find all possible redirect targets.This provides the highest degree of protection against the attack tampering with the URL.Where possible, have the user provide short name, ID or token which is mapped server-side to a full target URL.If used, do not allow the URL as user input for the destination.Simply avoid using redirects and forwards.
Safe use of redirects and forwards can be done in a number of ways: public ActionResult LogOn ( LogOnModel model, string returnUrl ) Preventing Unvalidated Redirects and Forwards ¶
Preventing Unvalidated Redirects and Forwards The simplest way to redirect to another URL is to use an HTML tag with the http-equiv parameter set to refresh.Insecure Direct Object Reference Prevention
0 kommentar(er)
