Need to remove a dangerous domain from the QueryString Collection

I need to remove a dangerous domain from the URL, but the QueryString Collection is Read Only.
             
I created a whitelist of safe URL's and scan the URL inside a custom ActionFilterAttribute to assert that every domain is whitelisted:

But rather than upsetting existing program flow by redirecting to an error page, we have decided to simply remove that dangerous domain. If the goto or returnURL is errant, I need to completely remove it. But, the QueryString Collection is Read Only.

I use the following code to remove the "goto" key and notice the NameValueCollection array drops from a size of 1 to 0.

        private void RemoveParameter(NameValueCollection nameCollection, string keyToRemove)
        {
            // reflect to readonly property
            PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);

            if (isreadonly != null)
            {
                // make collection editable
                isreadonly.SetValue(nameCollection, false, null);

                // remove
                nameCollection.Remove(keyToRemove);

                // make collection readonly again
                isreadonly.SetValue(nameCollection, true, null);
            }
        }

Open in new window


but even after a final call to:

            base.OnActionExecuting(filterContext)

the browser still has the bad domain in the goto. In fact, I was expecting "goto" to no longer display.

What am I missing?

Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
Create a new handler page, filter out the query string, redirect to the existing one.  

As a security check if you find a bad one in the original handler, redirect to the newrequesthandler to santiize and then redirect back to the existing one.

Bastardized pseudo code:

OriginalRequestHandler?myVal=dangerousquery.com;safequery.com

//Non whitelisted domain found, redirect to original request

NewrequestHandler?myVal=dangerousquery.com;safequery.com

// sanitize the query string, respond back to original

Response.Redirect("OriginalRequestHandler?myVal=safequery.com");


OriginalRequestHandler?myVal=safequery.com
// no non white listed domains found, continue processing.
0
newbiewebSr. Software EngineerAuthor Commented:
I am not sure what you mean by:

> Create a new handler page

> OriginalRequestHandler
0
Kyle AbrahamsSenior .Net DeveloperCommented:
Sorry, was just thinking out loud.

Even easier:
Create the sanitized query string.
Redirect to the same page again with the sanitized query string.
0
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

newbiewebSr. Software EngineerAuthor Commented:
Instead of sanitizing the string, the fact is...

if a goto param starts with http://evil.com

I would remove the whole string.

This clears out the Collection.

filterContext.HttpContext.Request.QueryString

I do not have a list of what the domain SHOULD BE, since the hacker likely created a bunch of garbage params AFTER evil.com. So, it seems the only option is to remove the entire collection item associated with "goto".

Once the list's empty, how do I redirect to the root domain?

I assume it's contained in:

filterContext.HttpContext.Request
0
Kyle AbrahamsSenior .Net DeveloperCommented:
.Net makes it easy for us.

You could just redirect to "~/" which will go to the root of the application.  

The fact is though if it's a querystring parameter your application will not respond to it unless you tell it to do something with it.

Are you handling other goto requests?  Including that of different urls?

Can you give an example of a good query string versus a bad query string?
0
newbiewebSr. Software EngineerAuthor Commented:
Good:
http://mydomain.org/ContentManagement/?goto=http://mydomain.org:80/ContentManagement/

Bad:
http://mydomain.org/ContentManagement/?goto=http://mydomain.org.evil.com:80/ContentManagement/
0
newbiewebSr. Software EngineerAuthor Commented:
But I have no plans to "fix" a broken domain.
0
newbiewebSr. Software EngineerAuthor Commented:
We are okay with the default error behavior handling misformed URL's, like the following may me:

http://mydomain.org/ContentManagement

with no goto param, I mean.
0
Kyle AbrahamsSenior .Net DeveloperCommented:
so if you detect a broken domain just redirect to the current page with the query string.
0
newbiewebSr. Software EngineerAuthor Commented:
but how?
0
Kyle AbrahamsSenior .Net DeveloperCommented:
Response.Redirect(Request.RawUrl.Split(new[] {'?'})[0]);

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
That works perfectly. Thanks!
0
newbiewebSr. Software EngineerAuthor Commented:
Ignore that question.
0
newbiewebSr. Software EngineerAuthor Commented:
I thought I was ready to commit the code...

But it seemed to stop re-routing, and I am not sure why.

From the perspective of the debugger, it all works. When I look in the URL bar on the browser, the value is not updated.

Here is the new question...

https://www.experts-exchange.com/questions/29088895/Why-does-this-code-not-re-route.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.