Requirements: I recently read Microsoft's ASP.NET Core document "Preventing Open Redirect Attacks in ASP.NET Core", which roughly meansDevelopers should pay attention to the path of the local site when jumping to the callback address to prevent some people from maliciously forging the callback address for phishing attacks。 Study the code and prepare to port it to the ASP.NET MVC project.
I remember that a major manufacturer had this vulnerability before, and some people used it to drain traffic from QQ and WeChat, as follows:
Exploiting the vulnerability, some chat tools were unable to prevent users from clicking on links to access malicious website content due to their trust in large company domains.
What is an open redirect attack?
Web applications frequently redirect users to login pages when they access resources that require authentication. Redirects typically include a returnUrl querystring parameter so that users can return to the originally requested URL after a successful login. After the user authenticates, they are redirected to the URL they originally requested.
Example of an attack
A malicious user can develop an attack designed to give a malicious user access to a user's credentials or sensitive information. To start an attack, a malicious user would trick the user into clicking a link to your site's landing page and add the returnUrl querystring value to that URL. in order tocontoso.comfor example, the app is inhttp://contoso.com/Account/LogOn?returnUrl=/Home/AboutContains a landing page. The attack follows these steps:
- The user clicks on a malicious link tohttp://contoso.com/Account/LogOn?returnUrl=http://contoso1.com/Account/LogOn(The second URL is "contoso1.com", instead of "contoso.com”) 。
- The user successfully logs in.
- The user is redirected to the sitehttp://contoso1.com/Account/LogOn(A malicious site that looks exactly like the real one).
- The user logs in again (providing credentials to the malicious site) and is redirected back to the real site.
- Users may think that their first login attempt failed and the second attempt succeeded.It is likely that users still don't know that their credentials have been compromised。
In addition to landing pages, some sites offer redirect pages or endpoints. Let's say your app has a page that includes an open redirect, /Home/Redirect. For example, an attacker could create a point in an email[yoursite]/Home/Redirect?url=http://phishingsite.com/Home/Loginlink. Regular users will see that the URL starts with your site name. Out of trust, they click on the link. Open redirects then send users to phishing sites that look the same as yours, and users may log in to sites they think are yours.
Prevent open redirect attacks
When developing web applications, all user-provided data is treated as untrustworthy. If your app has the ability to redirect users based on URL content, ensure that such redirects are only done locally in your app (or redirect to known URLs, not any URLs that may be provided in the querystring).
LocalRedirect
Using the Controller helper method in the LocalRedirect base class:
If a non-local URL is specified, LocalRedirect throws an exception. Otherwise, it behaves the same as the Redirect method. The exception information is as follows:
InvalidOperationException: The supplied URL is not local. A URL with an absolute path is considered local if it does not have a host/authority part. URLs using virtual paths ('~/') are also local.
Execution process: LocalRedirect -> LocalRedirectResult -> IActionResultExecutor<LocalRedirectResult> -> LocalRedirectResultExecutor -> UrlHelper -> IsLocalUrl -> CheckIsLocalUrl, and in the end, IsLocalUrl will be called to judge (UrlHelperFactory implements the IUrlHelperFactory interface by default. )。
Source code address:The hyperlink login is visible.
IsLocalUrl
IsLocalUrl before redirecting, test the URL using this method:
The code is as follows:
The test code is as follows:
If you are allowed to jump to other domain name sites, you can implement the IUrlHelperFactory interface and modify IServiceCollection to replace the default implementation class when the program starts.
Reference:The hyperlink login is visible.
(End)
|
Posted on 6/6/2023 9:55:38 PM
|
|
|
|
Landlord|
Posted on 6/6/2023 9:57:12 PM
|
