Preventing Open Redirection Attackshttp://asp.netFri, 26 Apr 2013 05:18:13 GMTumbracoComments for Preventing Open Redirection AttacksenComment Posted by nachidhttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksThu, 30 Dec 2010 13:40:01 GMT00000000-0000-0000-0000000011365Thank you so much

I am using MVC3 and I did not note this option

]]>Comment Posted by larsenutah08http://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksMon, 17 Jan 2011 18:02:01 GMT00000000-0000-0000-0000000011579Thank you for showing the codes. It helps me.

]]>Comment Posted by crossmonkhttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksTue, 23 Aug 2011 07:51:01 GMT00000000-0000-0000-0000000014014What's this "FormsService" then? Oh, it's a magical class not part of the framework that you've created for this demo....but haven't explained?

]]>Comment Posted by ricka6http://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksWed, 26 Oct 2011 14:29:52 GMT00000000-0000-0000-0000000014503crossmonk : What's this "FormsService" then?

No, it's part of the framework, specifically System.Web.Security. In MVC 2, this code is generated for you. See msdn.microsoft.com/ or create a MVC 2 project. It's not used in MVC 3 and higher.

]]>Comment Posted by ANILBABUhttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksWed, 01 Aug 2012 02:41:30 GMT00000000-0000-0000-0000000016082What is URL REDIRECTION?How can i use this concept in my .net?

my task is i have generated one url like this "example.com/"

I am passing one pearameter like "example.com/"

I want to display Ename in Database table that corresponding "Empno"

plz Help me Give me one simple example

I am new this concepts

plz Help me send source code to my mailID:mandla.anilbabu@gmail.com

]]>Comment Posted by vijay.jangidhttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksWed, 03 Oct 2012 03:01:09 GMT00000000-0000-0000-0000000016568Indeed a good (must learn) tutorial.

Thanks Jon.

]]>Comment Posted by hotfusionhttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksSat, 13 Oct 2012 01:50:49 GMT00000000-0000-0000-0000000016612Thanks for the article - it's really great.

But I don't understand how changed redirect url gets to an ordinary user ?

If a hacker changes return url - it's only changed in his browser, right ?

Did I miss something ?

]]>Comment Posted by ahzzzhttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksWed, 31 Oct 2012 16:49:59 GMT00000000-0000-0000-0000000016717I was working on MVC4 and I had Url.IsLocalUrl in MVC3.

However it gave different results once upgrade to MVC4.

In MVC3, these 2 evaluates to true.

Assert.IsTrue(sut.Url.IsLocalUrl("http://localhost/blah"));

Assert.IsTrue(sut.Url.IsLocalUrl("http://localhost"));

While in MVC4, they return false;

Reflecting against the code, it's calling WebPages.RequestExtensions.IsUrlLocalToHost(url) method.

Instead of matching Uri.Host, this method has changed to look at starting char of ~/ and / or \.

]]>Comment Posted by liquidthoughtshttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksFri, 26 Apr 2013 05:16:12 GMT00000000-0000-0000-0000000018988I really dont understand the short sightedness of Microsoft devs.

bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)

&& !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)

&& Uri.IsWellFormedUriString(url, UriKind.Relative);

Why would you assume that a url starting with HTTP or HTTPS is not a local URL? If I have a site with the login url as store.com/://store.com/cart what happens now?

]]>Comment Posted by liquidthoughtshttp://asp.net/mvc/tutorials/security/preventing-open-redirection-attacksFri, 26 Apr 2013 05:18:13 GMT00000000-0000-0000-0000000018989so http ://store.com/login ? http ://store.com/cart would fail?

]]>