Disallow External Websites

Hi All,

I am using IIS 6.0 for ASP based website. This is an existing application and code was written to redirect pages to an error page when ever there is an error. Also after some operations the pages will be redirected to other pages.

When ever there is a URL redirection, in the address bar there next URL is displayed like ..

www.ourwebsite.com/Home.asp?NextURL=http://www.externalsite.com/

NextURL we are using for transferring to internal website pages. As this is currently exposed in the Address bar of browser, it can be redirected to any page user enters. This is a major security threat to the site.

What I want to know is whether there is any way we can avoid such URL redirections to external. If possible we want to do that in IIS level with out touching our existing code.

Thanks in Advance.

* posting this in IIS group as well, as this is related to IIS. Earlier this was posted to ASP group but no luck :(

Regds,
Sivakumar

re: Disallow External Websites

I believe that this is usually done through a proxy server not IIS. Alternatively deal with this in the application. HTH.

You need to choose which forum to post in and not both. Thanks.

re: Disallow External Websites

Thanks Kenobewan for your reply !

Can you please explain in detail about the proxy implementation.

Using application code is the last resort of mine !

Yep I agree for that, but in the other forum I didn't get any inputs from the people.

Regds,
Sivakumar

re: Disallow External Websites

Afraid my first assumption looks to incorrect, I saw internal and assumed network.

So your least favoured may be your best option. Doesnt have to complicated, but I want to understand the security threat. If they are redirected what is the security threat, the risk appears to be the users if they enter another site in the url. If there is no sql then I see the risk as low.

Please let me know if I am barking up the wrong tree again :).