Does my RegEx block URL hacking?

I need to block all attempts at URL Hijacking. Please review my RegEx and my approach...

I will persist the whitelist in a config file.

            sampleRedirectUrl = "";

            redirectWhitelist = "|";

            string regEx = @"https?://(" + redirectWhitelist + ")/\\?(goto|returnurl)=https?://(" + redirectWhitelist + ")";

           bool isMatch = Regex.IsMatch(sampleRedirectUrl, regEx);

I verify that both the base URL and the RedirectURL are in the white list.

Does this block all attempts at URL Hijacking?

I also worry that if key off of "?goto=" (since that is the URL that is coming back to me while debugging in Visual Studio) I would reject the standard name:

I think I need my RegEx to allow either "goto" or "returnurl". Is my use of the OR symbol correct to force "goto" or "returnurl"? Is there ever a worry about failing ReturnURL due to case?

newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Open redirection attacks can occur when redirection URLs are passed as parameters in the URL. ReturnURL parameter need to be validated too. See an example (not using RegEx) to check this parameters. Using "IsLocalUrl" -

RegEx may not be catch all and it is hard to scale and prone to error. Try to leverage on the language API where possible like for - Don’t use the Redirect method at all.  Instead use RedirectToLocal or even better, use RedirectToRoute or RedirectToAction. Another option is having a secret token. Caveat  this technique is vulnerable to brute force attacks if you use a weak secret.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I suggest escaping the redirectWhitelist string because you want things like the dots to be seen as the dot character, not as the "any character" regex special character. Also, start it with the ^ character and end it with $ if you want to match the whole url.
string regEx = @"^https?://(" + Regex.Escape(redirectWhitelist) + ")/\\?(goto|returnurl)=https?://(" + Regex.Escape(redirectWhitelist) + ")$";

Open in new window

With the optional part you ask about in another question:
string regEx = @"^https?://(" + Regex.Escape(redirectWhitelist) + ")/(\\?(goto|returnurl)=https?://(" + Regex.Escape(redirectWhitelist) + "))?$";

Open in new window

newbiewebSr. Software EngineerAuthor Commented:
Thanks, This was very helpful. I will look into alternatives to a redirect URL.


I do not want to end with $ since that would force me to know all iterations of a valid Return URL. Isn't enough to require a white listed Return URL is the FIRST to appear after "https?://" ?

Doesn't this ensure that, even if a hacker inserted values AFTER a valid ReturnURL, that no harm could come of it?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

If you don't want $ you should at least use ($|[/?]) to ensure that the domain is really what it appears. would match your regex.
newbiewebSr. Software EngineerAuthor Commented:

What exactly does [/?] do?

And I loved your suggestion that a hacker could use MyDomain as a sub-domain. I would never have thought of that!  Is it enough that I assert that a whitelisted domain must not be followed by a period in order to prevent that kind of hijacking? Or is there another way a hacker could mirror my valid domain and still hack me?
[/?] is a / or a ? character. That would mark the end of the domain and the start of the path after that.
Checking for a period right after the domain is not enough:
Checking for a period anywhere after it is too much:
You must check it isn't immediately followed by something that cannot be part of the domain name. I think it's enough to check it's either the absolute end of the url, or ? or / or # (I forgot that possibility in my previous reply)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Regular Expressions

From novice to tech pro — start learning today.