Last post Dec 22, 2016 10:17 PM by priyalwalpita
Dec 21, 2016 02:45 AM|Alvin096|LINK
Hi, I would like to know if this set of codes is prone to open redirect attacks or not as I am task to solve the security issues of the application.
if (e.CommandName == "edit")
Response.Redirect("SumRInvAdd.aspx?prg=E&id=" + SumRInvID + "&bid=" + HttpUtility.UrlEncode(ddlBatchId.SelectedValue));
Dec 21, 2016 05:37 AM|sakthivel0531|LINK
I don't think this code prone to open attack.
Get the url from the query string and do the redirection would be considered as unsafe redirection.
Please refer this link to understand Safe and Unsafe url redirection.
Dec 22, 2016 10:17 PM|priyalwalpita|LINK
As it appears, there is no direct threat to your code. and it is good that you did the url encoding to your parameter as well.
Remember after the "?" character in your string is considered as insecure data. So please perform proper sanitization within your SumRInvAdd.aspx page. Because someone else can cal call to your SumRInvAdd.aspx form if they manage to capture your session
id with the params they want. And those params could be malicious.