Archive

Posts Tagged ‘Penetration test’

ADX Portal – Prevent URL redirection

January 28, 2020 Leave a comment

Recently our ADX portal underwent Penetration testing (Also called ‘Ethical hacking’) and we got a following recommendation:

Prevent on-domain URL redirection. All URL redirection should be validated to only redirect to approved domains and/or URLs.

Reason:

  • In ADX portal, when ever you signed out or the session expires from a particular ‘web page’, Portal will take you back to the ‘web page’ you were before you signed out.
  • ADX portal achieves this behavior by appending ‘ReturnURL‘ parameter to the URL. ‘ReturnURL’ contains the web page path before you signed out.

ADX_Redirect_2

Whats the harm with this behavior?

  • ADX portal, will try to redirect to the URL formed in ‘ReturnURL’.
  • An attacker can redirect users from portal to a specific URL (Phishing).
    • As an example, attacker can mail you a link with Portal URL along with ‘ReturnURL?myphishingsite.com‘.
    • If the user think, its a genuine Portal URL and sign-in, ADX portal would redirect you the myphishingsite.com as the same was mentioned in ‘ReturnURL‘.

How to handle this in ADX website?

  • We modified the ‘Login’ logic to ignore ‘ReturnURL’ and redirect Users to portal’s Home page always.
  • All we need to do is
    • Set returnUrl=”/” on ‘LoginController.cs -> Login’ function.

ADX_Redirect_1

  • We can also modify the logic to allow redirection only to a set of URLs.

🙂

 

Categories: ADX Tags: , ,