asp.net - How to prevent open redirection attacks?

Question

what is the best approach to prevent open redirection attacks.Currently i am developing asp.net website.I want to make sure not to redirect the users to external links up on successful login?

Edit: Is it possible implement the solution without changing the existing code?

Answer 1

I'm assuming you're using the login control. You should hook-up a check that the ReturnUrl parameter is a local url (and not one pointing to a different domain). The loggedin event would be a good place to do something like this:

void OnLoggedIn(object sender, EventArgs e)
{
    string returnto = Request.QueryString["ReturnUrl"];
    if (returnto != "" and isLocalUrl(returnto)) Response.Redirect(returnto);
}

where you can use the definition of IsLocalUrl given here

private bool IsLocalUrl(string url)
{
    if (string.IsNullOrEmpty(url))
    {
        return false;
    }

    Uri absoluteUri;
    if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri))
    {
        return String.Equals(this.Request.Url.Host, absoluteUri.Host, 
                    StringComparison.OrdinalIgnoreCase);
    }
    else
    {
        bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
            && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
            && Uri.IsWellFormedUriString(url, UriKind.Relative);
        return isLocal;
    }
}