The built-in redirect validation mechanism introduced in Sitefinity CMS 11.1 now protects your website against open redirect vulnerabilities, eliminating one more way for malicious actors to attack your users.
One of the basic web security habits says check your hyperlinks before you click them. But how does this apply to the real-life example of a busy professional, rushing through the day, clicking through potentially thousands of links? Truth is, time is never enough to inspect every single link, and attackers are getting so crafty that even careful inspection might sometimes mislead you.
Sitefinity CMS takes some of that burden off your plate. Version 11.1 introduces an out-of-the-box redirect validation mechanism as part of the Web Security Module. Before we proceed with a walk-through of the new feature, let’s take a moment to summarize the problem it solves.
Let’s say, for example, that you own a popular website doing eCommerce. Your website, http://examplewebsite.com, has some logic to parse URL query strings and redirect users to a desired payment provider, based on the query string value. An attacker is exploiting this vulnerability by creating a website with similar look and feel to one of the payment providers you are using. Your website is a popular one, thus it’s easy for the attacker to send a blast of fraudulent emails, for example by using a “Confirm your payment details” subject line, to users. The emails contain a hyperlink leading to your site, but in the query string they are passing the URL of their malicious site. For example: http://examplewebsite.com/paymentdetails?url=http://malicious.examplewebsite.com.
Here’s how it goes for the unsuspecting user:
As the saying goes, a picture is worth a thousand words:
This scenario describes an unvalidated redirects and forwards vulnerability, also known as Open Redirect.
The built-in redirect validation mechanism introduced in Sitefinity CMS 11.1 protects your website (both frontend and backend) against Open Redirect vulnerabilities. The web security module prevents any malicious attempts to redirect users to an external location. This mechanism works by checking a detected redirect attempt against a configurable whitelist of trusted domains. If the web security module detects redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays a warning message to the user instead of doing the redirect.
The warning screen informs users about the detected redirect attempt and provides further information about the redirect URL parameters. Users can decide whether to proceed to the redirecting page or return to your Sitefinity CMS website home page. A really well-thought-of detail is the ability to fully customize the redirect validation warning page, enabling users to benefit from the security functionality and integrate it with their existing website look and feel.
The redirect validation mechanism feature is smart enough to detect any attempts to redirect to external domains, that’s for sure. But it will only take care of detecting the redirect and displaying a warning. The decision whether to proceed with the link or return to the homepage is up to the site visitors. Additionally, redirect validation will not provide protection against a click on a link which points directly to an external domain. There is no way for the Sitefinity CMS web security module to intervene in such cases, as this request never goes to your website server, but gets executed directly by the browser.
Redirect validation is enabled by default for all new projects created with Sitefinity CMS 11.1, so you get this protection right away. For those of you planning to upgrade existing projects to 11.1, redirect validation brings one more great reason to do so. Be aware that the feature is not enabled by default for upgraded projects. Make sure to add enabling it on your upgrade to-do checklist, unless you have a good reason not to benefit from this great new addition to Sitefinity CMS web security module.
Boyan Barnev is a Principal Information Developer at Progress. His mission is to demonstrate the unlimited capabilities of Sitefinity CMS via product documentation, SDK samples, and technical blog posts. He has graduated from the American University in Bulgaria and joined Telerik in 2011. Since then Boyan has held various positions in the company, leading the strategy and operation of the Sitefinity CMS Technical support service worldwide.
Copyright © 2018 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.
Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.