Configure redirect validationSitefinity CMS comes with an out of the box mechanism for preventing unvalidated redirects and forwards. The unvalidated redirects and forwards vulnerability is also known as Open Redirect. Open Redirect can occur if the URL parameters in an HTTP GET request contain instructions to redirect the user to a different website. Attackers often use this vulnerability to redirect users (for example after certain action like login) to malicious third-party websites that often mimic the original website’s look and domain name. This way an attacker can mislead the user in providing sensitive information.
The Sitefinity CMS redirect validation mechanism is part of the Web security module. It protects your website (both frontend and backend) against Open Redirect vulnerabilities. If the web security module detects an attacker attempts to inject a redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays the following warning screen:
The warning screen informs users about the detected redirect and provides further information about the redirect URL parameters. Users can decide whether to proceed to the redirecting page or return to your Sitefinity CMS website home page.
Redirect validation settings
To access the redirect validation configuration, perform the following:
- In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
- In the tree on the left, expand WebSecurity and click on RedirectValidation
You can control the redirect validation behavior by modifying the following properties: