Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?

Question

Mission:

To prevent open redirection in an ASP.NET MVC 5 application

The story:

The user is on some webpage of website /, say overview page /Home/Overview and clicks login

After login, the server returns some top-secret user specific data and redirects to the same page from where the user initiated login request.

I need to make sure that the server do not stupidly redirect to a hacker's website after login and also pass top-secret user specific data.

The values of

• _Controller.Request.UrlReferrer
• _Controller.Request.UrlReferrer.AbsoluteUri
• _Controller.Request.Url.AbsoluteUri
• _Controller.Url.IsLocalUrl(returnUrl)

respectively are:

• {https://localhost:44300/Home/Overview}
• "https://localhost:44300/Home/Overview"
• "https://localhost:44300/Account/Login?returnUrl=%2FHome%2FOverview"
• false

The value of Url.IsLocalUrl is false which is logically wrong.

In such case, how do I make sure that the user get safely redirected to /Home/Overview and not http://blackHatHackerWebsite.com after successful login?

Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?

Answer 1

Url.IsLocalUrl("/Home/Overview") is definitely true. You get false because it's evaluating Url.IsLocalUrl("%2fHome%2fOverview"). That is, you returnUrl is url encoded twice. Try to find where you have an unnecessary encode.