0

If Response.Redirect("/") is called during Page_Load event, a malicious user could have access to the contents of the page (before the redirect), like the html itself? I'm trying to redirect unallowed users to default.aspx page, but I'm not sure if there are vulnerabilities using the code this way.

Arthur Castro
  • 610
  • 6
  • 18
  • Yes, there can be, depending on how you use it. I explain it in [this SO answer](http://stackoverflow.com/questions/13727422/can-endresponse-increase-performance-of-asp-net-page/13727769#13727769) and mention how to ignore the redirect and view the contents of the page, like your concern is. Even if your current usage of `Redirect` doesn't open up this vulnerability, a simple change of a parameter in that function, can, and will. – MikeSmithDev Aug 23 '14 at 15:43
  • @MikeSmithDev For testing purposes, I added a Page_Render event to the page and debugged. When I use the default Response.Redirect (with the second parameter implicit true), the Page_Render event is not called. So, everything is secure, right? No Page_Render being called = No Html to the user. – Arthur Castro Aug 25 '14 at 11:29
  • Well, it's "secure", but not optimal. One day if someone tries to get rid of the `ThreadAbortException` that your `Response.Redirect(url)` is causing, and adds `false` as the 2nd param, then no, it is potentially not secure. I'd go ahead and just fix it now (make it secure, and not have an exception thrown on redirect). – MikeSmithDev Aug 25 '14 at 11:48
  • @MikeSmithDev any tip to fix using Response.Redirect(url, false)? I already knew about the exception that passing true as parameter causes, and how that is bad for performance. What must I do? Destroy the buffered page? – Arthur Castro Aug 25 '14 at 13:34
  • You could wrap the page in a div with `visible="false"` and only show it if you don't redirect. So if they bypass the 302 all they see is an empty page. – MikeSmithDev Aug 25 '14 at 14:02

2 Answers2

0

Place your page in a secure folder such as Members.

In that folder add the following web.config file.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

Now only authenticated users will be able to get to that page.

Elim Garak
  • 1,728
  • 1
  • 16
  • 21
  • That works for some scenarios. But what if it is a page where he needs to check the permissions of the user as it relates to the page itself? Like editing content. Maybe he has rights to that specific page, maybe not... roles won't help there. – MikeSmithDev Aug 23 '14 at 18:12
-1

No Don't worry just put that on the start of the event and you are done.

user3800108
  • 1,208
  • 1
  • 10
  • 14