Preventing Open Openirect Usage in C # Web Forms Application
The code looks like this, this is the obvious code:
readonly Regex alphaNumericRegex = new Regex("^[a-zA-Z0-9_]*$");
private const string USERNAME = "bitzleon";
protected void Page_PreInit(object sender, EventArgs e)
{
if (HttpContext.Current.Request.QueryString.Get("userid") == null)
{
UriBuilder uriBuilder = new UriBuilder(Request.Url);
NameValueCollection query = HttpUtility.ParseQueryString(uriBuilder.Query);
query["userid"] = USERNAME;
uriBuilder.Query = query.ToString();
if (alphaNumericRegex.IsMatch(query["userid"]) && IsLocalUrl(uriBuilder.ToString()))
{
Response.Redirect(uriBuilder.ToString());
}
}
}
The line is Response.Redirect(uriBuilder.ToString());
throwing an error in my Veracode checks, but I run two checks to ensure that the redirect is valid and internal.
First, the request must be alpha numeric - the regex will take care of that, and second, the address we are redirecting to is only local. The method I am using to validate the URL looks like this:
public bool IsLocalUrl(string url)
{
if (string.IsNullOrEmpty(url))
{
return false;
}
Uri absoluteUri;
if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri))
{
return String.Equals(Request.Url.Host, absoluteUri.Host,
StringComparison.OrdinalIgnoreCase);
}
bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
&& !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
&& Uri.IsWellFormedUriString(url, UriKind.Relative);
return isLocal;
}
But Veracode still does not believe that these fixes are sufficient to ensure that the HARDCODED redirection is verified enough.
This is the page they lead me to when showing examples of how this attack works.
I would like to assume that this is a false positive, but it still affects my result.
No one has answered this question yet
Check out similar questions: