Disallow external pages in ASP website

Question posted by: siva538 (Member) on April 24th, 2008 10:57 AM

Hi All,

I am using IIS 6.0 for ASP based website. This is an existing application and code was written to redirect pages to an error page when ever there is an error. Also after some operations the pages will be redirected to other pages.

When ever there is a URL redirection, in the address bar there next URL is displayed like ..

www.ourwebsite.com/Home.asp?NextURL=http://www.externalsite.com/

NextURL we are using for transferring to internal website pages. As this is currently exposed in the Address bar of browser, it can be redirected to any page user enters. This is a major security threat to the site.

What I want to know is whether there is any way we can avoid such URL redirections to external. If possible we want to do that in IIS level with out touching our existing code.

Thanks in Advance.

Regds,
Sivakumar

Would you like to answer this question?
Sign up for a free account, or Login (if you're already a member).

siva538

Member

44 Posts

April 27th, 2008
03:57 PM
#2

Re: Disallow external pages in ASP website

Pinging ASP experts again requesting help ! please help in this question ....

Thank you !

DrBunchman

Moderator

556 Posts

April 28th, 2008
08:52 AM
#3

Re: Disallow external pages in ASP website

So basically what you want to do is store the url of the next page somewhere other than the querystring?

You could do this by passing a code through the querystring which represents the url. You'd have to convert this code into the actually url within your code. Something like:

FirstPage.asp?urlcode=np1

Then your code could be:

Code: ( text )

<%
Dim sNextPage
Select Case Request.Querystring("urlcode")
Case "np1"
sNextPage = "www.NextPage1.co.uk"
Case Else
sNextPage = "www.NextPage2.co.uk"
End Select
%>

Is this a feasible solution to your problem or have I misunderstood?

Hope this helps,

Dr B

danp129

Expert

219 Posts

April 28th, 2008
09:39 PM
#4

Re: Disallow external pages in ASP website

how is it a security threat if the user changes it and redirects themselves to a different website? Are you logging "nexturl" it into a database and then displaying that URL later for other people to click on?

siva538

Member

44 Posts

May 7th, 2008
10:11 AM
#5

Re: Disallow external pages in ASP website

Quote:

Originally Posted by danp129

Sorry for delay in answering this question.

If some hacker puts a wrong URL/phishing site and then if they are not stopped then, it might lead to the misinterpretation of the user that it is a benign site and there is threat of harvesting credentials there.

danp129

Expert

219 Posts

May 7th, 2008
07:34 PM
#6

Re: Disallow external pages in ASP website

I would be difficult to account for every possible valid internal link. It would be best to set nexturl in a session variable or use Dr B's example.

Here's a very basic validation that only allows URLs starting with "http://www.internalsite.com" and not allowing https/ftp or usernames encoded within URL.

Code: ( text )

dim nexturl: nexturl=lcase(request("nexturl"))
dim ThisSite: ThisSite=Request.ServerVariables("SERVER_NAME")
dim bValid: bValid=true
if instr(1, nexturl, "http://" & ThisSite) = 1 then
if len(nexturl) > len("http://" & ThisSite) then
if mid(nexturl, len("http://" & ThisSite) + 1, 1) = "." then
'could be a sub domain such as www.internalsite.com.phishing.org
bValid=false
end if
end if
else
bValid=false
end if
if bValid then Response.Redirect nexturl

Not the answer you were looking for? Post your question . . .
170,099 Experts ready to help you find a solution.
Sign up for a free account, or Login (if you're already a member).

Top ASP Forum Contributors