function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Lakshmi SirishaLakshmi Sirisha 

Stuck - Bypass Standard Open Redirect Protections in Apex

I'm currently stuck on the "Learn Standard Open Redirect Preventions" challenge of the "App Logic Vulnerability Prevention" module.

The challenge is to submit a valid open redirect attack starting from the Standard Redirect Protections Challenge tab.

However, the links on this page are all to standard record pages, where the hack (e.g changing retURL to returl) won't work (it only works on VF pages).

Can anyone give me some advice on where I'm missing something on the challenge?
SandhyaSandhya (Salesforce Developers) 
Hi,


To pass this challange My advise is as belows -
First complete the exercise in the given in Open Redirect Basics Demo.
Notice what exactly you did in step 1 to complete the Open Redirect Basics Demo exercise.
Exactly same way you have to change the url to https://www.google.com to pass this challange.

https://developer.salesforce.com/forums/?id=9060G000000XhLSQA0
 
Please mark it as solved if my reply was helpful. It will make it available for other as the proper solution.
                                             
Best Regards
Sandhya
 
Shiromani ShankaranShiromani Shankaran
Please use the below code.
public class Standard_Redirect_Protections_Challenge {

  public List<Requisition__c> requisitions {get;set;}


  public Standard_Redirect_Protections_Challenge(){
      requisitions = new List<Requisition__c>();
      for(Requisition__c requisition : [SELECT name, Castle__c, Resource__c, Quantity__c, Description__c FROM Requisition__c LIMIT 5]){
          requisitions.add(requisition);
      } 
  }


    public pageReference seedURL(){
        pageReference p = page.Standard_Redirect_Protections_Challenge;
        String keyPrefix = Requisition__c.sObjectType.getDescribe().getKeyPrefix();
        String saveURL = ApexPages.currentPage().getParameters().get('saveURL');
        String cancelURL = ApexPages.currentPage().getParameters().get('cancelURL'); 
        if(string.isBlank(cancelURL)){      
             p.getParameters().put('cancelURL', '/'+keyPrefix);
            p.setRedirect(true);
        } else {
          p.getParameters().put('cancelURL',cancelURL);
        }
        if(string.isBlank(saveURL)){      
            p.getParameters().put('saveURL', '/'+keyPrefix);
            p.setRedirect(true);
        } else {
          p.getParameters().put('saveURL',saveURL);
        }

        if(p.getRedirect()==true){
          return p;
        } else {
          return null; 
        }    
    }


    public PageReference save(){
        PageReference savePage;
        if (Schema.SObjectType.Requisition__c.isUpdateable()){
            try{
                update requisitions;
                String saveURL = ApexPages.currentPage().getParameters().get('https://www.google.com');
                saveURL = (saveURL == NULL) ? 'https://www.google.com' : saveURL;
                savePage = new PageReference(saveURL);
                savePage.setRedirect(true);
                validate(savePage,1);
                return savePage;
            }catch (exception e){
                ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'Unable to update requisitions.  Exception: ' + e.getMessage()));
                return null;
            } 
        }else{
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'You do not have permission to update requisitions'));
            return null;
        }
    }


    public PageReference cancel() {
        PageReference cancelPage;
        String cancelURL = ApexPages.currentPage().getParameters().get('cancelURL');
        if(string.isBlank(cancelURL)){
            cancelURL = '/home/home.jsp';
        }
        cancelPage = new PageReference(cancelURL);
        cancelPage.setRedirect(true);
        validate(cancelPage,2);
        return cancelPage;
    }    


    public void validate(pageReference p,integer loc){
        String url = '/'+Requisition__c.sObjectType.getDescribe().getKeyPrefix();
        if(p.getURL() != url && (p.getURL().contains('http')||p.getURL().contains('www'))){
            cvcs__c v = cvcs__c.getInstance('srpc1');
            if(v==null){
                v = new cvcs__c(name='srpc1',c1__c=0,c2__c=0);
            }
            if(loc==1){
                v.c1__c += 1;
            } else if (loc==2) {
                v.c2__c += 1;
            }
            upsert v;
        }
    }    
}
Ankit Bhati 8Ankit Bhati 8
Learn Standard Open Redirect Preventions
1) Bypass Standard Open Redirect Protections in Apex:
use below code it will work 100%



visual code:
<apex:page controller="Standard_Redirect_Protections_Challenge" sidebar="false" tabStyle="Standard_Redirect_Protections_Challenge__tab" action="{!seedURL}">
<apex:sectionHeader title="Standard Redirect Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <script>function setFocusOnLoad() {}</script> <!-- disable vf setting focus to first input field-->
            <apex:pageBlockTable value="{!requisitions}" var="rec">        
                <apex:column headervalue="Name">
                    <apex:inputfield value="{!rec.Name}" />
                </apex:column>
                <apex:column headervalue="Castle">
                    <apex:inputfield value="{!rec.Castle__c}" />
                </apex:column>                    
                <apex:column headervalue="Resource">
                    <apex:inputfield value="{!rec.Resource__c}" />
                </apex:column>
                <apex:column headervalue="Quantity">
                    <apex:inputfield value="{!rec.Quantity__c}" />
                </apex:column>
                <apex:column headervalue="Description">
                    <apex:inputfield value="{!rec.Description__c}" />
                </apex:column>                                                                                    
            </apex:pageBlockTable>
            <apex:outputPanel >
                <apex:commandButton action="{!save}" value="Save"/>        
                <apex:commandButton action="{!cancel}" value="Cancel"/>
            </apex:outputPanel>
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Standard_Redirect_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Standard_Redirect_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>


Apex:
public class Standard_Redirect_Protections_Challenge {

  public List<Requisition__c> requisitions {get;set;}


  public Standard_Redirect_Protections_Challenge(){
      requisitions = new List<Requisition__c>();
      for(Requisition__c requisition : [SELECT name, Castle__c, Resource__c, Quantity__c, Description__c FROM Requisition__c LIMIT 5]){
          requisitions.add(requisition);
      }
  }


    public pageReference seedURL(){
        pageReference p = page.Standard_Redirect_Protections_Challenge;
        String keyPrefix = Requisition__c.sObjectType.getDescribe().getKeyPrefix();
        String saveURL = ApexPages.currentPage().getParameters().get('saveURL');
        String cancelURL = ApexPages.currentPage().getParameters().get('cancelURL');
        if(string.isBlank(cancelURL)){      
             p.getParameters().put('cancelURL', '/'+keyPrefix);
            p.setRedirect(true);
        } else {
          p.getParameters().put('cancelURL',cancelURL);
        }
        if(string.isBlank(saveURL)){      
            p.getParameters().put('saveURL', '/'+keyPrefix);
            p.setRedirect(true);
        } else {
          p.getParameters().put('saveURL',saveURL);
        }

        if(p.getRedirect()==true){
          return p;
        } else {
          return null;
        }    
    }


    public PageReference save(){
        PageReference savePage;
        if (Schema.SObjectType.Requisition__c.isUpdateable()){
            try{
                update requisitions;
                String saveURL = ApexPages.currentPage().getParameters().get('saveURL');
                saveURL =  'https://www.google.com';
                savePage = new PageReference(saveURL);
                savePage.setRedirect(true);
                validate(savePage,1);
                return savePage;
            }catch (exception e){
                ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'Unable to update requisitions.  Exception: ' + e.getMessage()));
                return null;
            }
        }else{
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'You do not have permission to update requisitions'));
            return null;
        }
    }


    public PageReference cancel() {
        PageReference cancelPage;
        String cancelURL = ApexPages.currentPage().getParameters().get('cancelURL');
        if(string.isBlank(cancelURL)){
            cancelURL = '/home/home.jsp';
        }
        cancelPage = new PageReference(cancelURL);
        cancelPage.setRedirect(true);
        validate(cancelPage,2);
        return cancelPage;
    }    


    public void validate(pageReference p,integer loc){
        String url = '/'+Requisition__c.sObjectType.getDescribe().getKeyPrefix();
        if(p.getURL() != url && (p.getURL().contains('http')||p.getURL().contains('www'))){
            cvcs__c v = cvcs__c.getInstance('srpc1');
            if(v==null){
                v = new cvcs__c(name='srpc1',c1__c=0,c2__c=0);
            }
            if(loc==1){
                v.c1__c += 1;
            } else if (loc==2) {
                v.c2__c += 1;
            }
            upsert v;
        }
    }    
}