Help | Site Map
Connecting Tech Pros Worldwide
bytes > answers > IIS
Reply
 
LinkBack Thread Tools
  #1  
Old April 27th, 2008, 05:11 PM
Member
  
Join Date: Jun 2007
Posts: 44
Default Disallow External Websites
Hi All,

I am using IIS 6.0 for ASP based website. This is an existing application and code was written to redirect pages to an error page when ever there is an error. Also after some operations the pages will be redirected to other pages.

When ever there is a URL redirection, in the address bar there next URL is displayed like ..

www.ourwebsite.com/Home.asp?NextURL=http://www.externalsite.com/

NextURL we are using for transferring to internal website pages. As this is currently exposed in the Address bar of browser, it can be redirected to any page user enters. This is a major security threat to the site.

What I want to know is whether there is any way we can avoid such URL redirections to external. If possible we want to do that in IIS level with out touching our existing code.

Thanks in Advance.

* posting this in IIS group as well, as this is related to IIS. Earlier this was posted to ASP group but no luck :(

Regds,
Sivakumar
Reply
  #2  
Old April 28th, 2008, 01:06 PM
kenobewan's Avatar
Moderator
  
Join Date: Dec 2006
Posts: 4,664
Default
I believe that this is usually done through a proxy server not IIS. Alternatively deal with this in the application. HTH.

You need to choose which forum to post in and not both. Thanks.
Reply
  #3  
Old April 28th, 2008, 07:33 PM
Member
  
Join Date: Jun 2007
Posts: 44
Default
Quote:
Originally Posted by kenobewan
I believe that this is usually done through a proxy server not IIS. Alternatively deal with this in the application. HTH.

You need to choose which forum to post in and not both. Thanks.
Thanks Kenobewan for your reply !

Can you please explain in detail about the proxy implementation.

Using application code is the last resort of mine !

Yep I agree for that, but in the other forum I didn't get any inputs from the people.

Regds,
Sivakumar
Reply
  #4  
Old April 29th, 2008, 01:38 PM
kenobewan's Avatar
Moderator
  
Join Date: Dec 2006
Posts: 4,664
Default
Afraid my first assumption looks to incorrect, I saw internal and assumed network.

So your least favoured may be your best option. Doesnt have to complicated, but I want to understand the security threat. If they are redirected what is the security threat, the risk appears to be the users if they enter another site in the url. If there is no sql then I see the risk as low.

Please let me know if I am barking up the wrong tree again :).
Quote:
Originally Posted by siva538
Thanks Kenobewan for your reply !

Can you please explain in detail about the proxy implementation.

Using application code is the last resort of mine !

Yep I agree for that, but in the other forum I didn't get any inputs from the people.

Regds,
Sivakumar
Reply
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

What is Bytes?

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over network members.
Post your question now . . .
It's fast and it's free

Popular Articles
Quick Browse:
Communities / Archives
XML / CSS | HTML | Javascript | PHP | Perl | Visual Basic | Python | C++ / C | Java | .NET / C# / VB / XML / ASP.net | ASP
PostgreSQL | MS SQL | Oracle | IBM DB2 | MS Access | MySQL

About Bytes | Sitemap | Privacy Policy | Terms of Use
Copyright 1995-2008 Bytes.com. All rights Reserved