1

I was trying to make a guard for some action so it is not accessible unless the request comes from a certain host. Here is the sample code. 

public ActionResult test()
{
    if (Request.UrlReferrer == null || Request.UrlReferrer.Host != "mydomain.com") { return Content("Blocked!"); }
    else { return Content("Authorized!"); }
}

Everything seems to work well until I went to mydomain.com "typed the link in the addressbar" , opened the browser console and typed

window.location.href = "https://domainholdingthatacion.whatever/ActionRoute/test"; //trying to get unauthorized access

It worked! It enters the else branch. I need your input because I have no idea if I am using it wrong as Request.UrlReferrer is not meant to be used for that or It is inherently vulnerable.

Mina Gerges
  • 295
  • 2
  • 14
  • 1
    MVC has a bunch of filters introduced with it. Have a look at the [Action Filters](https://learn.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/controllers-and-routing/understanding-action-filters-cs). – vikscool Feb 13 '20 at 06:57

1 Answers1

3

UrlReferrer is not safe to use for authorization. Any browser or client can decide to set the referrer url to whatever they want. Additionally some browsers block refuse respecting this header (though that's mostly only true between different domains) for privacy reasons.

There's the Authorize annotation specifically for this.

Frank
  • 733
  • 5
  • 7