csharp.lang.security.open-redirect.open-redirect

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

A query string parameter may contain a URL value that could cause the web application to redirect the request to a malicious website controlled by an attacker. Make sure to sanitize this parameter sufficiently.

Run Locally

Run in CI

Defintion

rules:
  - id: open-redirect
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: $PARAM
          - pattern-inside: |
              public $TYPE $FUNCNAME (..., string $PARAM, ...) {
                ...
              }
    pattern-sinks:
      - patterns:
          - pattern: Redirect(...)
          - pattern-not-inside: |
              if (IsLocalUrl(...)) { 
                  ... 
                  Redirect(...); 
                  ...
              }
          - pattern-not-inside: |
              if ($URL.IsLocalUrl(...)) { 
                  ... 
                  Redirect(...); 
                  ...
              }
    message: A query string parameter may contain a URL value that could cause the
      web application to redirect the request to a malicious website controlled
      by an attacker. Make sure to sanitize this parameter sufficiently.
    metadata:
      category: security
      technology:
        - csharp
      cwe:
        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
      references:
        - https://cwe.mitre.org/data/definitions/601.html
      owasp:
        - A01:2021 - Broken Access Control
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    severity: ERROR

Examples

open-redirect.cs

[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (!String.IsNullOrEmpty(returnUrl))
            {
                // ruleid: open-redirect
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
            ModelState.AddModelError("",
            "The user name or password provided is incorrect.");
        }
    }
}


[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (IsLocalUrl(returnUrl))
            {
                // ok: open-redirect
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
            ModelState.AddModelError("",
            "The user name or password provided is incorrect.");
        }
    }
}

[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (Url.IsLocalUrl(returnUrl))
            {
                // ok: open-redirect
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
            ModelState.AddModelError("",
            "The user name or password provided is incorrect.");
        }
    }
}