Wednesday, August 08, 2012

Protect ASP.NET application against No-Redir browser hacks


Page redirection is a very popular approach on Web applications behavior, for example: count login errors and redirect user to an error page if login error count exceeds max allowed value – to prevent login hack attack.

The simplest way to do it in a ASP.NET application:

// Get URL of the error page to be redirected to
string urlErrorPage = getUrlErrorPage(…);

// Use Response.Redirect to redirect user to the error page
Response.Redirect(urlErrorPage, true);
The problem is, there are numerous add-ons for internet browsers to prevent redirection: like this, this and this.
One possibility to redirect mandatory is to write the content of target page in Response directly (the target page assumed to be plain HTML page):
// Use Response.Write to write error page content
string errorContent = "<html><head></head><body>error</body></html>";
string sFile = null;
sFile = Server.MapPath(urlErrorPage);
using (StreamReader sr = new StreamReader(sFile))
errorContent = sr.ReadToEnd();
catch (Exception ex)
// Handle exception

Once again: the target error page assumed to be (D)HTML page.


No comments: