ASP.NET MVC可以防止Open Redirect安全问题 [英] Could ASP.NET MVC prevent Open Redirect security issue

查看:120
本文介绍了ASP.NET MVC可以防止Open Redirect安全问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我读到某人的asp.net mvc代码为:

I read someone asp.net mvc code as :

[HttpGet]
public ActionResult Move(string url)
{
    return Redirect(HttpUtility.UrlEnocode(url));
}

恐怕上面的代码可能会导致打开重定向"安全问题,因为"URL"来自用户的输入,并且永远不会被过滤/保护....

I am afraid the code above could cause the Open Redirect security problem, because the "url" is from user's input and never be filtered/protected....

因此url可能是一些"www.hackersite.com",这很危险...

So the url could be some "www.hackersite.com", that will be dangerous...

但是有人告诉我,asp.net mvc框架可以通过asp.net mvc框架防止此问题.我不确定该怎么做....?

But someone told me that asp.net mvc framework could prevent the issue through the asp.net mvc framework. I am not sure how to do that ....?

推荐答案

您使用的是哪种技术都没有关系.为防止开放重定向,您只需遵循 OWASP 准则. 通常,网站重定向有两种不同的情况:

It doesn't matter which technology you're exactly using. For preventing Open Redirection you'll simply have to follow the OWASP guidelines. Normally there are two different cases in Site Redirection:

  1. 是否应在过程中重定向用户. (如后) 成功登录重定向到Home.aspx).
  2. 如果网站上的链接可供用户更改并单击(如在Facebook帖子中,某人发布了指向某个外部网站的链接).
  1. if you should redirect the user as part of the process. (As in after successful login redirect to Home.aspx).
  2. if there's link in the on the Website that the user can change and click on (As in a facebook post where someone posted a link to some external website).

在两种情况下,缓解措施都可能不同.

In both cases the mitigation could be different.

对于案例1: 您必须确保Url是LocalUrl.在同一个Web应用程序的域中.否则,将首页重定向到另一个页面,例如您的索引.

For case #1: You'll have to make sure that the Url is a LocalUrl aka. in the same web app's domain. Otherwise redirect home to another Page ex: your Index.

if (Url.IsLocalUrl(returnPath))
    return Redirect(returnPath);
else
    return RedirectToAction("Index", "Home");

对于案例2:

您可能需要首先检查URL是否为本地.如果不是,则必须将用户重定向到网页,并要求他确认将其重定向到另一个域.

You may need to check first if the URL is local or not. If it's not you'll have to redirect the user to a webpage and ask for his confirmation that he will be redirected to another domain.

您可以在此处找到更多信息: https://www.owasp.org/index. php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

You can find more info here: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

这篇关于ASP.NET MVC可以防止Open Redirect安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆