Does my RegEx block URL hacking?

I need to block all attempts at URL Hijacking. Please review my RegEx and my approach...

I will persist the whitelist in a config file.

            sampleRedirectUrl = "https://sso.mydomain.org/?goto=http://mydomain.org3a80/myhome/";

            redirectWhitelist = "mydomain.org|sso.mydomain.org";


            string regEx = @"https?://(" + redirectWhitelist + ")/\\?(goto|returnurl)=https?://(" + redirectWhitelist + ")";

           bool isMatch = Regex.IsMatch(sampleRedirectUrl, regEx);


I verify that both the base URL and the RedirectURL are in the white list.

Does this block all attempts at URL Hijacking?

I also worry that if key off of "?goto=" (since that is the URL that is coming back to me while debugging in Visual Studio) I would reject the standard name:
"returnurl"

I think I need my RegEx to allow either "goto" or "returnurl". Is my use of the OR symbol correct to force "goto" or "returnurl"? Is there ever a worry about failing ReturnURL due to case?



Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
Open redirection attacks can occur when redirection URLs are passed as parameters in the URL. ReturnURL parameter need to be validated too. See an example (not using RegEx) to check this parameters. Using "IsLocalUrl" - https://weblogs.asp.net/jongalloway/preventing-open-redirection-attacks-in-asp-net-mvc

RegEx may not be catch all and it is hard to scale and prone to error. Try to leverage on the language API where possible like for asp.net - Don’t use the Redirect method at all.  Instead use RedirectToLocal or even better, use RedirectToRoute or RedirectToAction. Another option is having a secret token. Caveat  this technique is vulnerable to brute force attacks if you use a weak secret.
http://www.hackerco.de/hackercode/2010/11/closing-open-redirects-efficiently.html
1
 
louisfrConnect With a Mentor Commented:
I suggest escaping the redirectWhitelist string because you want things like the dots to be seen as the dot character, not as the "any character" regex special character. Also, start it with the ^ character and end it with $ if you want to match the whole url.
string regEx = @"^https?://(" + Regex.Escape(redirectWhitelist) + ")/\\?(goto|returnurl)=https?://(" + Regex.Escape(redirectWhitelist) + ")$";

Open in new window

With the optional part you ask about in another question:
string regEx = @"^https?://(" + Regex.Escape(redirectWhitelist) + ")/(\\?(goto|returnurl)=https?://(" + Regex.Escape(redirectWhitelist) + "))?$";

Open in new window

0
 
newbiewebSr. Software EngineerAuthor Commented:
Thanks, This was very helpful. I will look into alternatives to a redirect URL.

Meanwhile...

I do not want to end with $ since that would force me to know all iterations of a valid Return URL. Isn't enough to require a white listed Return URL is the FIRST to appear after "https?://" ?

Doesn't this ensure that, even if a hacker inserted values AFTER a valid ReturnURL, that no harm could come of it?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
louisfrConnect With a Mentor Commented:
If you don't want $ you should at least use ($|[/?]) to ensure that the domain is really what it appears.
mydomain.org.myevilsite.com would match your regex.
1
 
newbiewebSr. Software EngineerAuthor Commented:
Louis,

What exactly does [/?] do?

And I loved your suggestion that a hacker could use MyDomain as a sub-domain. I would never have thought of that!  Is it enough that I assert that a whitelisted domain must not be followed by a period in order to prevent that kind of hijacking? Or is there another way a hacker could mirror my valid domain and still hack me?
0
 
louisfrCommented:
[/?] is a / or a ? character. That would mark the end of the domain and the start of the path after that.
0
 
louisfrCommented:
Checking for a period right after the domain is not enough:
mydomain.organic.myevilsite.com
Checking for a period anywhere after it is too much:
mydomain.org/thepageireallywant.html
You must check it isn't immediately followed by something that cannot be part of the domain name. I think it's enough to check it's either the absolute end of the url, or ? or / or # (I forgot that possibility in my previous reply)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.