473,407 Members | 2,312 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > disallow external pages in asp website

Join Bytes to post your question to a community of 473,407 software developers and data experts.

Disallow external pages in ASP website

44
Hi All,

I am using IIS 6.0 for ASP based website. This is an existing application and code was written to redirect pages to an error page when ever there is an error. Also after some operations the pages will be redirected to other pages.

When ever there is a URL redirection, in the address bar there next URL is displayed like ..

www.ourwebsite.com/Home.asp?NextURL=http://www.externalsite.com/

NextURL we are using for transferring to internal website pages. As this is currently exposed in the Address bar of browser, it can be redirected to any page user enters. This is a major security threat to the site.

What I want to know is whether there is any way we can avoid such URL redirections to external. If possible we want to do that in IIS level with out touching our existing code.

Thanks in Advance.

Regds,
Sivakumar
Apr 24 '08 #1
5 1798
siva538
44
Pinging ASP experts again requesting help ! please help in this question ....

Thank you !
Apr 27 '08 #2
DrBunchman
979 Expert 512MB
So basically what you want to do is store the url of the next page somewhere other than the querystring?

You could do this by passing a code through the querystring which represents the url. You'd have to convert this code into the actually url within your code. Something like:

FirstPage.asp?urlcode=np1

Then your code could be:

Expand|Select|Wrap|Line Numbers
  1.  <% 
  2. Dim sNextPage
  3. Select Case Request.Querystring("urlcode")
  4.       Case "np1"
  5.             sNextPage = "www.NextPage1.co.uk"
  6.       Case Else
  7.             sNextPage = "www.NextPage2.co.uk"
  8. End Select
  9. %>
  10.  
Is this a feasible solution to your problem or have I misunderstood?

Hope this helps,

Dr B
Apr 28 '08 #3
danp129
323 Expert 256MB
how is it a security threat if the user changes it and redirects themselves to a different website? Are you logging "nexturl" it into a database and then displaying that URL later for other people to click on?
Apr 28 '08 #4
siva538
44
how is it a security threat if the user changes it and redirects themselves to a different website? Are you logging "nexturl" it into a database and then displaying that URL later for other people to click on?
Sorry for delay in answering this question.

If some hacker puts a wrong URL/phishing site and then if they are not stopped then, it might lead to the misinterpretation of the user that it is a benign site and there is threat of harvesting credentials there.
May 7 '08 #5
danp129
323 Expert 256MB
I would be difficult to account for every possible valid internal link. It would be best to set nexturl in a session variable or use Dr B's example.

Here's a very basic validation that only allows URLs starting with "http://www.internalsite.com" and not allowing https/ftp or usernames encoded within URL.
Expand|Select|Wrap|Line Numbers
  1. dim nexturl: nexturl=lcase(request("nexturl"))
  2. dim ThisSite: ThisSite=Request.ServerVariables("SERVER_NAME")
  3.  
  4. dim bValid: bValid=true
  5.  
  6. if instr(1, nexturl, "http://" & ThisSite) = 1 then
  7.     if len(nexturl) > len("http://" & ThisSite) then
  8.         if mid(nexturl, len("http://" & ThisSite) + 1, 1) = "." then
  9.             'could be a sub domain such as www.internalsite.com.phishing.org
  10.             bValid=false
  11.         end if
  12.     end if
  13. else
  14.     bValid=false
  15. end if
  16.  
  17. if bValid then Response.Redirect nexturl
  18.  
May 7 '08 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

1
How to detect when user clicks on a broken link to an external web page.
by: | last post by:
I am planning to develop a directory website (ASP.NET) which will contain links to hundreds of external web pages. In an effort to keep the directory up to date, I would like to trap (perhaps as an...
ASP.NET
8
master pages using JS from external file?
by: Flip | last post by:
I have a website that's using Master pages (very cool). But when I put JS on there (to close the browser for example) coming from an external file, when I navigate away from the first page, the JS...
ASP.NET
1
Autofill from External Program
by: rob | last post by:
I have a program from which I would like to fill edit boxes, chose from combo boxes and select radio buttons of a website and then do a submit. Point in case is etrade.com where I would like to be...
ASP.NET
2
External Assembly accesing Session generates an error
by: ras26 | last post by:
I have a WebSite "App1" which has an external assembly "Lib1". Inside this external assembly we have developed some classes that derive from "System.Web.UI.Page". One of these pages is called...
ASP.NET
5
Programmatically Include Link to External Javascript File In Master Page
by: Joey | last post by:
I have the following in the head section of the ASPX page for my master page: <script language="javascript" type="text/javascript" src="MyCodeFile.js"></script> This includes my external...
ASP.NET
6
iFrame: how to display specific area of external website
by: deknoopjes | last post by:
I want to display a specific area of an external website using iFrames. A year ago I created such code successfully, but lost this code due to a crashed computer. Googling for any solutions did not...
HTML / CSS
1
Menu links in frame not working after I link to external site usingIE
by: Alan F | last post by:
Can anybody please help me with this one. I have just changed my hosting company and moved a web site to it. For some reason my framed menus now no longer works correctly.() I have set up up a...
HTML / CSS
3
Show an advisory "Going to External Link" while the user is going out of my domain
by: amanjsingh | last post by:
Hi, I have my website and want to perform this functionality most likely using PHP. Please note that the website is huge and manual editing of pages is not possible. Is there a quick solution...
PHP
3
Disallow External Websites
by: siva538 | last post by:
Hi All, I am using IIS 6.0 for ASP based website. This is an existing application and code was written to redirect pages to an error page when ever there is an error. Also after some operations...
IIS / Internet Information Server
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!