One of my Friend was encountered with this a issue in security auditing where redirect wasn't working as expected.
Actual issue:
He was new with asp.net so instead of using form authentication/authorization he used simple session to maintain logged in user. so on each page he was checking if session contain valid information like user name and role to access internal page. If it doesn't exists the user redirected to log in page.
For a normal user it was fine it was working as it should but for hacker it contain where while looking pages response into some tool she will be able to see response code 302 change(redirect response code) and body of undisplayed page. Just by changing status code to 302 change to 200 OK she was able to see the page in browser. and by sending it again server it can lead to other exception or other uses are also possible.
page_Load()
{
..........
..........
// some code to check authenticate/authorize user
if (failed)
{
Response.Redirect("Login.aspx?target=http://...../currentpage.aspx",false);
}
else
// continue with page
}
Suggested Solution:
Page_Load is state where our page is already loaded so there isn't any benefit of using false (which indicates not to load page control).
So better place to put validation code is OnInit() method:
OnInit()
{
..........
..........
// some code to check authenticate/authorize user
if (failed)
{
Response.Redirect("Login.aspx?target=http://...../currentpage.aspx",false);
}
else
// continue with page
}
So i suggested him to put it on OnInit and i dont know if its working. I am waiting for his response :).
Happy Living, Happy Coding.
Thanks
Yashpal Sharma
Actual issue:
He was new with asp.net so instead of using form authentication/authorization he used simple session to maintain logged in user. so on each page he was checking if session contain valid information like user name and role to access internal page. If it doesn't exists the user redirected to log in page.
For a normal user it was fine it was working as it should but for hacker it contain where while looking pages response into some tool she will be able to see response code 302 change(redirect response code) and body of undisplayed page. Just by changing status code to 302 change to 200 OK she was able to see the page in browser. and by sending it again server it can lead to other exception or other uses are also possible.
page_Load()
{
..........
..........
// some code to check authenticate/authorize user
if (failed)
{
Response.Redirect("Login.aspx?target=http://...../currentpage.aspx",false);
}
else
// continue with page
}
Suggested Solution:
Page_Load is state where our page is already loaded so there isn't any benefit of using false (which indicates not to load page control).
So better place to put validation code is OnInit() method:
OnInit()
{
..........
..........
// some code to check authenticate/authorize user
if (failed)
{
Response.Redirect("Login.aspx?target=http://...../currentpage.aspx",false);
}
else
// continue with page
}
So i suggested him to put it on OnInit and i dont know if its working. I am waiting for his response :).
Happy Living, Happy Coding.
Thanks
Yashpal Sharma