A reminder on ASP.NET Forms authentication Open Redirection Attack vulnerability

If you are developing ASP.NET web application for public use, chances are you are using Forms authentication to authenticate your users. By default, the ASP.NET template implementation will redirect the user back to the page where s/he was before the authentication, if the user tried to directly access a page requiring authentication.

How ever, by default, the redirection URL is not checked, and it could be a full, absolute URL pointing anywhere, event to a malicious site. This is called an Open Redirection Attack, but luckily, it can easily be remedied.

There's a nice post on the ASP.NET MVC tutorials about this. Notice that even though the article talks about ASP.NET MVC, this same issue applies to regular Web Forms applications as well.

Promise yourself a little more secure year 2012, and take a quick peek on your web application(s). Implementing this fix really doesn't take that long.

Safe hacking!