Does the System.Uri object help expose XSS attacks?

I am hoping to use the Uri object to reject the following XSS exposure.

for example, a return URL which includes the following puts your website at risk:

https://yourdomain.org/?returnurl=yourdomain.org.evildomain.com

So, I hope I can use the  System.Uri object to throw an exception. This means I do not get into modifying my RegEx.

I would be surprised to learn that  the following is not a reg flag:

yourdomain.org.evildomain.com

thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
for example, a return URL which includes the following puts your website at risk:

https://yourdomain.org/?returnurl=yourdomain.org.evildomain.com
Nope, it does not. A URL is static text. Static text is harmless.

Otherwise explain first, why it is a risk.
0
newbiewebSr. Software EngineerAuthor Commented:
I am trying to write code which rejects that URL. But that condition, a valid whitelisted domain being a sub-domain on an evil domain, I do not yet handled by my code.

I hoped that the Uri object would throw an exception.

Does it support any such eror checking?
0
ste5anSenior DeveloperCommented:
Without your code, it's hard to tell, where you're doing it  wrong.

From Uri Class:
Uri Class: Provides an object representation of a uniform resource identifier (URI) and easy access to the parts of the URI.
The URL given by you is valid, so why would you expect an exception??

But that condition, a valid whitelisted domain being a sub-domain on an evil domain, I do not yet handle.
That's way you need some kind of pattern matching. E.g. whitelisted yourdomain.org can only match http://yourdomain.org.

How could your test pass yourdomain.org.evildomain.com this test?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
thanks. I will post another question if  I need to.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.