Review code for open redirect vulnerabilities
Review code for open redirect vulnerabilities
Microsoft docsDescription
When working with untrusted input, be mindful of open redirect vulnerabilities. An attacker can exploit an open redirect vulnerability to use your website to give the appearance of a legitimate URL, but redirect an unsuspecting visitor to a phishing or other malicious webpage.
This rule attempts to find input from HTTP requests reaching an HTTP redirect URL. This rule can't track data across assemblies. For example, if one assembly reads the HTTP request input and then passes it to another assembly that responds with an HTTP redirect, this rule won't produce a warning. There is a configurable limit to how deep this rule will analyze data flow across method calls. See Analyzer Configuration for how to configure the limit in an EditorConfig file.
Cause
Potentially untrusted HTTP request input reaches an HTTP response redirect.
By default, this rule analyzes the entire codebase, but this is configurable.
How to fix violations
Some approaches to fixing open redirect vulnerabilities include:
- Don't allow users to initiate redirects.
- Don't allow users to specify any part of the URL in a redirect scenario.
- Restrict redirects to a predefined "allow list" of URLs.
- Validate redirect URLs.
- If applicable, consider using a disclaimer page when users are being redirected away from your site.
Example
using System;
public partial class WebForm : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string input = Request.Form["url"];
this.Response.Redirect(input);
}
}
using System;
public partial class WebForm : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string input = Request.Form["in"];
if (String.IsNullOrWhiteSpace(input))
{
this.Response.Redirect("https://example.org/login.html");
}
}
}When to suppress
If you know you've validated the input to be restricted to intended URLs, it's okay to suppress this warning.