We have a homebrewed advertising system on our website. Part of this includes code that when an ad is clicked, we first go to a intermediary page that records the click data, which then redirects them along to the desired advertiser's website.
Unfortunately, our current solution requires that a URL parameter be passed to the intermediary page that is the destination URL. Some savvy advertisers have discovered that they can use this for their own nefarious purposes and "launder" their traffic through our site. In other words, on their site, they have a link along the lines of www.oursite.com/redirect?URL=www.theirtargetsite.com, making it seem like that traffic is coming from our site.
I'm working on a solution that will only redirect to a whitelist of URLs, but my first problem is more just knowing what this is called. Finding alternative and probably better solutions is difficult when I don't even know what to call it. With so much spoofing, laundering, and hijacking going on, it's hard to find help for the right topic.
What is it called when website A redirects to website C through website B without the permission of B?
The word you're looking for is open redirect. The MITRE article on this class of vulnerability has some examples of ways that this can be mitigated, e.g:
Whitelist the URLs that you will redirect to
Displaying a warning page before redirecting (probably not viable in your situation)
Use numbers to identify the URLs to redirect to (i.e, look them up in a table) instead of putting the target in a query parameter
Use a HMAC construction to "sign" URLs to redirect to, and reject redirects that don't have a valid signature
Related
I will try and keep this as short as possible, although I may be leaving some things out, due to inexperience and/or lack of knowledge.
I have successfully been able to redirect from Website A to Website B, much like what was illustrated in the link C# - HttpWebResponse redirect to external URL (Thank You to everyone involved, this was very helpful)
The only problem is, that in Website B, after the redirection seems to have been successful, the system seems to ignore what happened , and redirect again back to it's Default home controller index Get Action result, and continues to Log in as if the Redirection never took place. I have removed everything that may cause this, in my opinion, like Attributes to check authentication etc.
Any help in this regard will be much appreciated.
According to your reference link( https://stackoverflow.com/questions/27503986/c-sharp-httpwebresponse-redirect-to-external-url), they try to create a single-sign-on system. Because they have 2 websites. The question of this link that how can they solve this problem with HtppWebRequest class. This is not possible ofcourse.
If you look at the answer section that I added on image, Author offer to use cookie sharing.
What is the correct solution to share authanctication info between different web site?
You should search about on Single Sing On Authantication methods.
Here is a few clue
OAuth(Google, Facebook)
SAML Protocol
JWt
may Jwt a bit hard way ;)
I am using the following code to redirect to the referrer in my controller:
return Redirect(this.HttpContext.Request.UrlReferrer.AbsolutePath);
During a scan with an application security tool it pointed out that the above code enables phishing attacks.
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.
Is there any way to safely redirected to the referrer?
This sounds like a general-purpose error, that is probably harmless in your case. The app sec tool doesn't realize that you're sending people back to the exact page they came from, but rather it sees the potential for you to do something like:
return Redirect(
is_trusted_site( this.HttpContext.Request.UrlReferrer.AbsolutePath )
? sensitiveURL
: otherURL
);
If the redirected URL changed depending on the content of the UrlReferrer, then you could fall prey to referrer spoofing.
Just the same, if you want to fix the "error", you can perhaps use JavaScript's history.back().
I don't see any problems with this, given that what you actually want, is to redirect to whoever puts a link to your site on the whole Internet. You have no control over how the "referrer" ends up in the HTTP header. It might be legit, it might be forged. If this is OK with you, I see no problems.
Be aware that someone CAN use your site to redirect to anything, and that opens up for possible attacks. I.e., send an email that acutally links to your site, but in a query parameter specifies a phishing site.
What are you planning to use this for?
I am developing an iframe for use on a number of our partners websites.
Is there any way I can make sure it can only be used on those websites and not by anyone else
I was intending to add a compulsory querystring to the URL for the website.
Each partner would have a different value in the quesrystring dnd use that to look up an allowed domain
However, is there anyway to know the top level domain of the site hosting the iframe?
Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?
Or do you need to send the domain from javascript?
Any advice?
However, is there anyway to know the top level domain of the site hosting the iframe?
Nothing reliable.
Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?
It might be sent in the referer
Or do you need to send the domain from javascript?
If you want to fetch it from the framed page, you will be blocked by the same origin policy.
If you want to sent it from the framing page, you will be putting it in the query string and you can't trust it because it can be set to whatever the person writing the framing page likes.
There is also the X-Frame-Options header (but that has limited browser support).
The most reliable solution I can think of is:
Require the origin to be specified in the query string used to load the frame
Check the referer. If it doesn't match your white-list and is not blank, redirect to a page that is blank except for a link to your site with target="_top" and some JavaScript that top.location = "your site"
Check that the origin specified in the query string is on your whitelist, if it isn't act in the same way as a rejected step 2
Output an X-Frame-Options header that limits the framing to the specified origin
That is likely to catch enough browsers to discourage the framing site from framing your site.
You can try to check referrer which normal browser will send for IFrame requests on the page.
You also can use "x-frame-options" header covered in (How to Block Iframe call and MDN ) but not every browser will respect that (on other hand it is more reliable if browser supports it).
iframe's sanbox attribute might be helpful in controlling the various security aspects in an iframe including origins
http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
The Architecture Journal of 2007 has a nice article about this: Secure Cross-Domain Communication in the Browser
Basically what the article suggests is:
If you have page A on domain 1 with an iframe with page B on domain 2 as its source , then having an iframe on page B to page C on domain 1, would allow you to pass information across domains
I haven't tested it, but this sounds like it could work.
Another possibility is create a file with a special filename (for instance a hash of the URL of page B on domain 2) and basic extension (like .htm) and place it in the root of domain 1. Checking whether the file exists on domain 1 cannot be done by javascript however, so it should be done with server side code.
Let's say I have a website www.mysite.com and I want it to be a multilingual site. Following are the things I wanna achieve :-
1. When a user visits my website, I want to fetch the user's country's ISO code. Let's say the ISO is "FR".
Now I want the user to be redirected to www.mysite.fr
In case the ISO address can't be fetched, the user will be redirected to www.mysite.com
Now I have used the dll from this site http://ipaddressextensions.codeplex.com/ and used their method which is something like
iso3066code(). BUT I am not able to fetch ISO code based on a user's IP address. What is the best method to fetch the ISO code anyway??
2. I have a differenet master page for different countries. Like for France there is France.master, for Germany there is Germany.master, etc.
What I want is that firstly the ISO Code of the user should be fetched, then the user should be redirected to the site corresponding to the ISO
AND want the corresponding master to load.
Here's a scenario:-
A user from France opens my website by typing "www.mysite.com". Now I want to show the user my site's contents in French so I want him to be redirected to
"www.mysite.fr" AND want the France.master to load for all the pages. What I am doing is check the "Top level domain name" entered by user which is "com" in this case, then I fetch the ISO code
then if ISO exists, user is redirected to "www.mysite.fr"
IN CASE, ISO cant be fetched , "www.mysite.com" will only be opened for the user.
3. How do I redirect the user?? Response.Redirect("http://www.mysite.fr") is failing and giving errors like :-
"Page is not redirecting properly" I tried changing it to Response.Redirect("http://www.mysite.fr", false)
and Response.Redirect("http://www.mysite.fr", true). This didn't work.
4. www.mysite.com and www.mysite.fr aren't two different websites.Just that when is it www.mysite.com, English content will be shown on the website.
When it is "www.mysite.fr", French content can be seen inside the website.
What I did was :-
In the Global.asax file :-
I tried fetching ISO code using that dll above from the site ipaddressextensions. Then I created this Application("UserISO") variable in Global.asax file.((Is this a good approach?))
I needed to make it because I wanted to use this global variable within my Global file itself..In some user defined method.
Then I am setting master page name in a cookie and using this cookie to change master page dynamically for every content page in the Page_PreInit() event.
and lastly I am redirecting the user with " Response.Redirect("http://www.mysite.fr", false)". This response.redirect doesnt work!
Now, AM I on the right path?? I am super confused over how to actually make it work! :(
How do multilingual site redirect their users? Where can I learn about all this ? I have tried and tried and tried but this just won't work!
Lastly, there are not really any domain names set for the site as of now. Running it using the IP address set in the IIS.
So how do I test my site. How do I really go about it. Am I following the correct approach at all??
Please direct me to the right path. ANY help will be greatly appreciated. Thanks!
Belgium has 3 official languages, you can't find my language by just looking at the ip address or the domain.
The best way to find the language of a visitor is to check the language of his browser. You can find it in Request.Userlanguages.
Don't do this. It's really frustrating when you try to assume what language the user speaks. You're bound to get it wrong for someone eventually. Put some small flag icons or the language name choices on your main page in a highly visible place, and let your visitors chose what site/language they want to browse in.
Facebook's main sign in page is a great example of this.
Edit: The best you could probably do is to use the HTTP1.1 Header Accept-Language as a hint, but even then I think you should push back on this requirement of your project.
You get redirect error because the .fr site is probably the same site as .com, but session cookies are only valid for a certain domain which means that Session_OnStart() is invoked on the redirect as well. One way to circumvent this is to override the redirect/ip-lookup somehow, maybe send in a querystring or a specific landing page that you can identify:
www.site.fr/?overrideredirect=true
www.site.fr/redirected.aspx -> which then redirects back to / after Session_OnStart
In order to choose the right master page, you could probably identify which host that was requested and from that override master page in your global.asax, perhaps in the BeginRequest event.
In an aspx C#.NET page (I am running framework v3.5), I need to know where the user came from since they cannot view pages without logging in. If I have page A (the page the user wants to view) redirect to page B (the login page), the Request.UrlReferrer object is null.
Background: If a user isn't logged in, I redirect to the Login page (B in this scenario). After login, I would like to return them to the page they were requesting before they were forced to log in.
UPDATE:
A nice quick solution seems to be:
//if user not logged in
Response.Redirect("..MyLoginPage.aspx?returnUrl=" + Request.ServerVariables["SCRIPT_NAME"]);
Then, just look at QueryString on login page you forced them to and put the user where they were after successful login.
UrlReferrer is based off the HTTP_REFERER header that a browser should send. But, as with all things left up to the client, it's variable.
I know some "security" suites (like Norton's Internet Security) will strip that header, in the belief that it aids tracking user behavior. Also, I'm sure there's some Firefox extensions to do the same thing.
Bottom line is that you shouldn't trust it. Just append the url to the GET string and redirect based off that.
UPDATE: As mentioned in the comments, it is probably a good idea to restrict the redirect from the GET parameter to only work for domain-less relative links, refuse directory patterns (../), etc. So still sanity check the redirect; if you follow the standard "don't use any user-supplied input blindly" rule you should be safe.
If you use the standard Membership provider, and set the Authorization for the directory/page, the code will automatically set a query parameter of ReturnUrl and redirect after a successfull login.If you don't want to use the Membership provider pattern, I would suggest manually doing the query string parameter thing as well. HTTP referrers are not very reliable.
The problem could be related on how you redirect the user to some other page. Anyways, the referer url is nothing you should take as absolute rule - a client can fake it easily.
What you're looking for is best done with a query string variable (e.g. returnURL or originURL). Referrer is best used for data mining operations as it's very unreliable.
See the way ASP.Net does redirection with logins for an example.