I need to block all attempts at URL Hijacking. Please review my RegEx and my approach...
I will persist the whitelist in a config file.
sampleRedirectUrl = "https://sso.mydomain.org/?goto=http://mydomain.org3a80/myhome/";
redirectWhitelist = "mydomain.org|sso.mydomain.org";
string regEx = @"https?://(" + redirectWhitelist + ")/\\?(goto|returnurl)=https?://(" + redirectWhitelist + ")";
bool isMatch = Regex.IsMatch(sampleRedirectUrl, regEx);
I verify that both the base URL and the RedirectURL are in the white list.
Does this block all attempts at URL Hijacking?
I also worry that if key off of "?goto=" (since that is the URL that is coming back to me while debugging in Visual Studio) I would reject the standard name:
I think I need my RegEx to allow either "goto" or "returnurl". Is my use of the OR symbol correct to force "goto" or "returnurl"? Is there ever a worry about failing ReturnURL due to case?