Reputation: 96
How to stop redirecting to other domain by configuring IIS or web.config?
In modern CMS, there are a number of places that redirect users by using returnUrl querystring. For example, redirect user to an internal Url after a successful login.
The problem is that the returnUrl is modifiable by anyone and is hence vulnerable. One way to handle this is to validate the parameters of the application script/program before sending 302 HTTP code (redirect) to the client browser. However, this requires changing of application code.
How can I handle it in IIS level? Is it possible to show an error page if the user is redirected to other domain without touching the application code?
Upvotes: 0
Views: 2322
Answers (1)
Reputation: 96
I figured it out. Install IIS URL Rewrite Module and then edit web.config of the web application and add the following in system.webServer node:
<rewrite>
<outboundRules>
<rule name="Rewrite Location Header" preCondition="IsRedirection" enabled="true">
<match serverVariable="RESPONSE_Location" pattern="http[s]{0,1}://localhost/(.*)" negate="true" />
<conditions>
</conditions>
<action type="Rewrite" value="http://{HTTP_HOST}/error.html" replace="true" />
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
Upvotes: 1
Related Questions
- ASP.NET site redirecting one domain to another
- Redirect a domain to another domain in ASP.NET
- How to Redirect a Domain without Changing the URL in web.config file?
- Site getting redirect to www.www.sitename.com
- On start up a website it will redirect to another url in the same domain
- Redirecting a domain using IIS
- How to always redirect to the main domain?
- ASP.net redirect problem
- IIS Multiple Domain Redirect
- IIS web site redirection problem