ASP.NET MVC可以防止Open Redirect安全问题 [英] Could ASP.NET MVC prevent Open Redirect security issue
问题描述
我读到某人的asp.net mvc代码为:
I read someone asp.net mvc code as :
[HttpGet]
public ActionResult Move(string url)
{
return Redirect(HttpUtility.UrlEnocode(url));
}
恐怕上面的代码可能会导致打开重定向"安全问题,因为"URL"来自用户的输入,并且永远不会被过滤/保护....
I am afraid the code above could cause the Open Redirect security problem, because the "url" is from user's input and never be filtered/protected....
因此url可能是一些"www.hackersite.com",这很危险...
So the url could be some "www.hackersite.com", that will be dangerous...
但是有人告诉我,asp.net mvc框架可以通过asp.net mvc框架防止此问题.我不确定该怎么做....?
But someone told me that asp.net mvc framework could prevent the issue through the asp.net mvc framework. I am not sure how to do that ....?
推荐答案
您使用的是哪种技术都没有关系.为防止开放重定向,您只需遵循 OWASP 准则. 通常,网站重定向有两种不同的情况:
It doesn't matter which technology you're exactly using. For preventing Open Redirection you'll simply have to follow the OWASP guidelines. Normally there are two different cases in Site Redirection:
- 是否应在过程中重定向用户. (如后) 成功登录重定向到Home.aspx).
- 如果网站上的链接可供用户更改并单击(如在Facebook帖子中,某人发布了指向某个外部网站的链接).
- if you should redirect the user as part of the process. (As in after successful login redirect to Home.aspx).
- if there's link in the on the Website that the user can change and click on (As in a facebook post where someone posted a link to some external website).
在两种情况下,缓解措施都可能不同.
In both cases the mitigation could be different.
对于案例1: 您必须确保Url是LocalUrl.在同一个Web应用程序的域中.否则,将首页重定向到另一个页面,例如您的索引.
For case #1: You'll have to make sure that the Url is a LocalUrl aka. in the same web app's domain. Otherwise redirect home to another Page ex: your Index.
if (Url.IsLocalUrl(returnPath))
return Redirect(returnPath);
else
return RedirectToAction("Index", "Home");
对于案例2:
您可能需要首先检查URL是否为本地.如果不是,则必须将用户重定向到网页,并要求他确认将其重定向到另一个域.
You may need to check first if the URL is local or not. If it's not you'll have to redirect the user to a webpage and ask for his confirmation that he will be redirected to another domain.
您可以在此处找到更多信息: https://www.owasp.org/index. php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
You can find more info here: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
这篇关于ASP.NET MVC可以防止Open Redirect安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!