There is an open redirect vulnerability in one of the nuget packages we use, it allows redirects in the form of: https://example.com/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://www.google.com
The culprit here is the /find_v2/ endpoint taking the _t_redirect parameter.
Is there a way to block only redirects from the /find_v2/ endpoint? We use Find for other operations on the site, but the redirect is not one of them. So I can safely block all redirects from Find.
I have already tried several versions of the following code in my web.config:
<rewrite>
<outboundRules>
<rule name="Rewrite Location Header" preCondition="IsRedirection" enabled="true" stopProcessing="true">
<match serverVariable="RESPONSE_Location" pattern="http[s]{0,1}://localhost/find_v2/(.*)" />
<conditions>
</conditions>
<action type="Rewrite" value="http://{HTTP_HOST}/static/errors/GeneralError.html" />
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
A few other notes:
- I have successfully blocked ALL redirects from my site, but that is not a valid solution because our login page redirects back to the home page on successful login.
- In the "match" node, I cannot seem to use the 'url' attribute. I'm not really sure why, but that's why I'm using the 'pattern' one.
Any help or advice would be greatly appreciated!