Disallow external pages in ASP website

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • siva538
    New Member
    • Jun 2007
    • 44
    #1

    Disallow external pages in ASP website

    Hi All,

    I am using IIS 6.0 for ASP based website. This is an existing application and code was written to redirect pages to an error page when ever there is an error. Also after some operations the pages will be redirected to other pages.

    When ever there is a URL redirection, in the address bar there next URL is displayed like ..

    www.ourwebsite. com/Home.asp?NextUR L=http://www.externalsit e.com/

    NextURL we are using for transferring to internal website pages. As this is currently exposed in the Address bar of browser, it can be redirected to any page user enters. This is a major security threat to the site.

    What I want to know is whether there is any way we can avoid such URL redirections to external. If possible we want to do that in IIS level with out touching our existing code.

    Thanks in Advance.

    Regds,
    Sivakumar
    Tags: None
    • siva538
      New Member
      • Jun 2007
      • 44
      #2
      Pinging ASP experts again requesting help ! please help in this question ....

      Thank you !

        Comment

        • DrBunchman
          Recognized Expert Contributor
          • Jan 2008
          • 979
          #3
          So basically what you want to do is store the url of the next page somewhere other than the querystring?

          You could do this by passing a code through the querystring which represents the url. You'd have to convert this code into the actually url within your code. Something like:

          FirstPage.asp?u rlcode=np1

          Then your code could be:

          Code:
           <% 
Dim sNextPage
Select Case Request.Querystring("urlcode")
	  Case "np1"
			sNextPage = "www.NextPage1.co.uk"
	  Case Else
			sNextPage = "www.NextPage2.co.uk"
End Select
%>
          Is this a feasible solution to your problem or have I misunderstood?

          Hope this helps,

          Dr B

            Comment

            • danp129
              Recognized Expert Contributor
              • Jul 2006
              • 323
              #4
              how is it a security threat if the user changes it and redirects themselves to a different website? Are you logging "nexturl" it into a database and then displaying that URL later for other people to click on?

                Comment

                • siva538
                  New Member
                  • Jun 2007
                  • 44
                  #5
                  Originally posted by danp129
                  how is it a security threat if the user changes it and redirects themselves to a different website? Are you logging "nexturl" it into a database and then displaying that URL later for other people to click on?
                  Sorry for delay in answering this question.

                  If some hacker puts a wrong URL/phishing site and then if they are not stopped then, it might lead to the misinterpretati on of the user that it is a benign site and there is threat of harvesting credentials there.

                    Comment

                    • danp129
                      Recognized Expert Contributor
                      • Jul 2006
                      • 323
                      #6
                      I would be difficult to account for every possible valid internal link. It would be best to set nexturl in a session variable or use Dr B's example.

                      Here's a very basic validation that only allows URLs starting with "http://www.internalsit e.com" and not allowing https/ftp or usernames encoded within URL.
                      [code=asp]
                      dim nexturl: nexturl=lcase(r equest("nexturl "))
                      dim ThisSite: ThisSite=Reques t.ServerVariabl es("SERVER_NAME ")

                      dim bValid: bValid=true

                      if instr(1, nexturl, "http://" & ThisSite) = 1 then
                      if len(nexturl) > len("http://" & ThisSite) then
                      if mid(nexturl, len("http://" & ThisSite) + 1, 1) = "." then
                      'could be a sub domain such as www.internalsit e.com.phishing. org
                      bValid=false
                      end if
                      end if
                      else
                      bValid=false
                      end if

                      if bValid then Response.Redire ct nexturl
                      [/code]

                        Comment

                        Previous template Next
                        Working...