I usually keep an eye on what my web applications are doing every now and then. Recently I noticed some really strange redirects being fired from one of my older projects. Like redirects to specific IP adresses or curious subdomains, rather traditional addresses for e.g. phishing attacks.
After checking my redirect logic the problem was immediately clear, I didn’t validate my redirects in any way, lazy me. The following code is offers actually a great way for people to use your brand/domain for redirects to spam sites or even phishing sites:
string RedirctURL = Request.QueryString["r"].ToString();
Now someone could easily drop his URL into the QueryString: http://www.yourdomain.com/somesite.aspx?r=http://www.the-injected-url.com. So what you should do is, check if the input really belongs to your site or is something you really want to redirect to.
If you only redirect to internal sites you can just check the string for a double slash “//”, if it occurs, deny the redirect. If you also redirect to external sites you have to use a database and save all permitted redirect URLs in there.
Also, don’t be tricked by using System.URI.AbsolutePath, because Firefox and IE will transform an invalid URL to a valid URL:
// Returns "//www.url-to-injected-site.com/badstuff.aspx" which will work in FireFox and IE!
Uri link1 = new Uri("http://www.url-to-injected-site.com//www.url-to-injected-site.com/badstuff.aspx");
As you probably know you should always validate external inputs, don’t be lazy or you will be sorry later..