Unvalidated redirects

Unvalidated redirects and forwards can occur on websites that redirect users to destinations obtained from untrusted external inputs.

A typical example of a vulnerability is a sign-in page that redirects users to a return URL specified by a query string parameter. Without sufficient protection, the following type of attack could occur:

  1. An attacker creates a forged version of the site’s sign-in page.
  2. The attacker sends out links to the legitimate sign-in page with the forged page in the return URL parameter.
    For example: http://domain.com/SignIn?returnUrl=http://forgeddomain.com/SignIn
  3. A user clicks the link, signs in, and is redirected to the forged page.
  4. The page informs the user that the authentication failed and requests another attempt to enter the sign-in credentials.
  5. The user submits their authentication credentials on the forged page.
  6. The page redirects the user back to the home page of the original site, where the user is already signed in.

An attacker could obtain the authentication credentials of users without them even noticing that an attack has occurred.

Handling of redirects in Xperience

All redirects performed by default in Xperience are secured against unvalidated redirection attacks. For redirects that lead away from the website, the destination is automatically changed to the application root. If a redirect URL is set in the Xperience administration interface (a trusted source), no validation occurs and external URLs are allowed.

Performing safe redirects

If your website has functionality or components that perform redirects, consider the possibility of unvalidated redirection attacks. Your code may contain security vulnerabilities if the redirect URL originates from an external input (such as a query string parameter or a posted form field).

The safest approach is to completely avoid redirects to URLs obtained from untrusted inputs.

If you cannot avoid such redirects, always use the System.Web.MVC.UrlHelper.IsLocalUrl method to validate untrusted inputs before performing redirects.