My login page accepts "return" parameter which should contain URI to redirect user if he wasn't logged in and tried to access page which isn't accessible by unauthenticated users. It could be anything from my site.
How do I properly check that parameter in my server code before I return HTTP 302 status with that URI to user after he successfully authenticated in login page?
Is it enough to check that uri[0] == '/' && uri[1] != '/' (so malicious user won't send request like /login?return=http://google.com)? Can malicious user construct some tricky uri which will send victim user to trouble? Of course I assume that other pages do not contain XSS vulnerabilities, GET request do not change anything in the database, etc. If malicious user can trick victim to click on his link and victim user already logged in, things will happen anyway and I can't do anything to prevent that except implement known security measures such as CSRF protection, etc.
Aucun commentaire:
Enregistrer un commentaire