3

I'm using ASP.NET Membership and Form Authentication and before redirecting to the returnURL I wanted to validate it. For those unfamiliar with the workflow, basically if you request a page that requires that you are authenticated, you are redirected to a login page. In the URL string you'll see a parameter called returnURL, e.g. http://example.com/login.aspx?ReturnUrl=%2fprotected%2fdefault.aspx

Whether you use this in a redirect such as Response.Redirect(returnURL) or indirectly through the FormsAuthentication.RedirectFromLoginPage method, it passes without validating returnURL. FormsAuthentication.RedirectFromLoginPage does have a security check that it is isn't leaving the domain, but that still doesn't stop someone from putting enough random characters to cause an error.

I tried using System.IO.File.Exists(Server.MapPath(returnURL)) but given enough illegal characters it cause Server.MapPath to error.

Note: URLEncoding doesn't work because we are not cleaning a parameter, but the primary URL.

Any other suggestions for validating or cleaning the returnURL value?

Josh
  • 7,099
  • 11
  • 65
  • 109

1 Answers1

2

This post explains the anatomy of the ReturnURL http://blogs.msdn.com/vijaysk/archive/2008/01/24/anatomy-of-forms-authentication-return-url.aspx

As you rightly state, the domain is checked, so along with encrypting your authentication cookie, and ensuring you use https I think the only thing you can do to to stop an invalid ReturnURL is to just ignore it, and redirect all logins to the home page or top level of you site letting users then navigate back via the menu. A good example of this is when you log into hotmail.

hearn
  • 1,007
  • 7
  • 8
  • Good article about returnURL, but I'm looking for recommendations of validating it. – Josh Feb 20 '10 at 14:48
  • hmm. Maybe just create a RegEx expression for a whitelist of allowed chars and run the returnURL value through that? Here's a post to a similar issue for allowed HTML chars: http://stackoverflow.com/questions/307013/how-do-i-filter-all-html-tags-except-a-certain-whitelist – hearn Feb 22 '10 at 17:50
  • I'm looking to see if anyone good working example of a URL cleaner, RegEx would likely be right approach. – Josh Feb 23 '10 at 21:17
  • Im not a RegEx master, but this looks like it might to the trick: http://stackoverflow.com/questions/161738/what-is-the-best-regular-expression-to-check-if-a-string-is-a-valid-url – hearn Feb 24 '10 at 17:16