You need to sign in to do that
Don't have an account?
a!
Security Issues :Open Redirect Vulnerability
public with sharing class classexample { public classexample() { c= new contact(); paramMap = apexpages.currentpage().getparameters(); list1 = new List<String>(paramMap.keySet()); for(integer i=0;i<list1.size();i++){ paramName = list1.get(i); paramValue = paramMap.get(paramName); if(paramName != 'returnUrl' && paramName !='core.apexpages.devmode.url'){ c.put(paramName,paramValue); } } returnUrl = apexpages.currentpage().getparameters().get('returnUrl'); } public contact c; public string lastname{get;set;} public string firstname{get;set;} public string paramName{get;set;} public string paramValue{get;set;} public List<String> list1{get;set;} public map<string,string> paramMap{get;set;} public string returnUrl; public pagereference autorun() { if(c.lastname!=null){ insert c; } if(returnUrl!=null){ pagereference p = new pagereference(returnUrl); return p; }else{ return null; } } }
Hi to all,
in the above class there are two security issues.
1. returnUrl = apexpages.currentpage().getparameters().get('returnUrl');
and
2.
pagereference p = new pagereference(returnUrl);
return p;
here Security issue is
"
Open Redirect Vulnerability
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it."
how to fix these issues, please help me, its urgent,
Thanking you inadvance.
You should make sure that the redirect url meets one of the following conditions:
1) The URL starts with "/" (%2F escaped).
2) The URL starts with System.URL.getCurrentRequestURL().
3) The URL starts with System.URL.getSalesforceBaseURL().
4) The URL is otherwise on a whitelist of allowed URLs (e.g. if you allow a redirect to Google, this might be acceptable).
Try taking a look at the String or Pattern classes for examples of how you might check this.
All Answers
See http://wiki.developerforce.com/page/Secure_Coding_Arbitrary_Redirect.
Thanks for your quick reponse
can you please send me sample code, am not understandig that topic.
tthank you
You should make sure that the redirect url meets one of the following conditions:
1) The URL starts with "/" (%2F escaped).
2) The URL starts with System.URL.getCurrentRequestURL().
3) The URL starts with System.URL.getSalesforceBaseURL().
4) The URL is otherwise on a whitelist of allowed URLs (e.g. if you allow a redirect to Google, this might be acceptable).
Try taking a look at the String or Pattern classes for examples of how you might check this.
Hi Sfdcfoex,
it works.
Thankyou.