Reputation: 2880
how should we validate http header referrer in aspx .net
I want to ensure ensure nothing untoward gets into the referrer on an error page.
What should I be checking in order to validate the http header.
below is my current code:
// Ensure the referrer header is good
if (this.Request.UrlReferrer.IsWellFormedOriginalString() &&
this.Request.UrlReferrer.Host.Equals(this.Request.Url.Host))
{
this will fail an acunetix scan that uses %3C and %3E instead of < and > for example so I obviously need to cover html encoding - is there anything else I am missing?
Update I can catch all the acunetix scans using the code below:
if (this.Request.UrlReferrer.IsWellFormedOriginalString() &&
this.Request.UrlReferrer.Host.Equals(this.Request.Url.Host) &&
!Regex.IsMatch(this.Request.UrlReferrer.ToString(),
"%3C",
RegexOptions.IgnoreCase))
{
Upvotes: 2
Views: 5001
Answers (2)
Reputation: 536389
I want to ensure ensure nothing untoward gets into the referrer on an error page.
Then always HTML-escape any string — including referrer URLs — that you output to the error page.
Trying to pick out and blacklist input containing potentially dangerous characters on a case-by-case basis is doing it backwards. You probably won't catch all possible attacks, and you'll unnecessarily disallow valid URLs. (It's perfectly reasonable to have a URL with ‘%3C’ in.)
Upvotes: 1
Reputation: 7412
this.Request.UrlReferrer may be null, if no referrer was provided or has participated.
Upvotes: 0
Related Questions
- how to verify referrer inside a MVC or Web Api ajax call
- Getting the HTTP Referrer in ASP.NET
- Can I rely on Referer HTTP header?
- Securing HTTP referer
- What is HTTP Referer header?
- Checking Request.ServerVariables["HTTP_REFERER"] on every request
- Set Referer header in asp.net
- How to modify Request.Headers["Referer"] when performing Response.Redirect?
- adding HTTP_REFERER in header and verify
- How to tell where the user is coming from?