Click here to Skip to main content
15,881,172 members
Search within:


How to prevent url vulnerability in ASP.NET
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
I am scanning my application checkmark there few of the string are getting as Reflected XSS vulnerability with High-level security issue

Below is the Ex for vulnerability
String fromURL= "https://www.mySite.com?id=7878&name=uname";
Response.Redirect(fromURL);

What I have tried:

I have tried with using HttpUtility.HtmlEncode 
String fromURL= "https://www.mySite.com?id=7878&name=uname";
   Response.Redirect(HttpUtility.HtmlEncode(fromURL));


Could you please assist on this type of Url vulnerabilities
Posted
Updated 28-Aug-20 21:14pm
Add a Solution
Comments
F-ES Sitecore 27-Aug-20 10:38am    
If that is genuinely your code then there is no vulnerability there so you should use the appropriate attributes to have your code checker ignore that error for that bit of code. If that isn't actually the exact code, or the vulnerability is actually elsewhere (like "/" on mysite.com), then we can't help you fix vulnerabilities in code you haven't shown us so you will need to update your question to show the actual code.
DGKumar 27-Aug-20 15:35pm    
hi
https://www.mySite.com?id=7878&name=uname
after encoding the above url i am getting the below url
https%3A%2F%2Fwww.mySite.com%3Fid%3D7878%26name%3Duname
Sandeep Mewara 27-Aug-20 15:44pm    
By any chance you on ASP.NET MVC 1 or 2?
Sandeep Mewara 27-Aug-20 15:45pm    
Also,
Above redirect url is exactly the same where the XSS vulnerability is being raised or there is different url?

1 solution

Have a look at this: Unvalidated Redirects and Forwards - OWASP Cheat Sheet Series[^]

Section "Dangerous URL Redirects"
Quote:
ASP .NET MVC 1 & 2 websites are particularly vulnerable to open redirection attacks. In order to avoid this vulnerability, you need to apply MVC 3.

The code for the LogOn action in an ASP.NET MVC 2 application is shown below. After a successful login, the controller returns a redirect to the returnUrl. You can see that no validation is being performed against the returnUrl parameter.


Section "Safe URL redirect":
Quote:
Response.Redirect("~/folder/Login.aspx")


Details: Preventing Open Redirection Attacks (C#) | Microsoft Docs[^]
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to prevent cross site history manipulation vulnerability in ASP.NET web forms?
Prevention (Security vulnerability ) downloading a pdf file by download url
How to fix authorization bypass vulnerability in ASP.NET?
How to prevent stored xss vulnerability for dataset in ASP.NET
How to prevent url in asp.net?
cross-site scripting vulnerability
Prevent Page Url from copying
Prevent navigation if url is pasted by user
Vulnerability: Cross Site Request Forgery
Prevent a User from making changes to a web URL

Advertise
Privacy
Cookies
Terms of Use
Last Updated 29 Aug 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900