Sign Up ›
  • Yogita Rao
  • NEWBIE
  • 0 Points
  • Member since 2020
  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 0
    Questions
  • 2
    Replies
2 replies

Stuck on 'Prevent Open Redirects in Your Code' Challenge

Hello,
I'm working on the 3rd part of the App Logic Vulnerability Prevention Module.  

I followed the steps provided in the module to Force Local Redirects Only, but I keep seeing 'Challenge Not Yet Complete, The code does not appear to protect against open redirects. Make sure you have modify the save function to force local redirects only by removing any prepending '/' and then re-adding a '/' prior to saving the PageReference.'

My Code for the save method. Any ideas what's wrong? 

public PageReference save() {
        PageReference savePage;
        if (Schema.SObjectType.Resource_Type__c.isCreateable()) {
            try {

                insert rtype;

                String completion = ApexPages.currentPage().getParameters().get('finishURL');
                system.debug('First$' + completion);
                if (completion.startsWith('/')) {
                    system.debug('Second$' + completion);
                    completion = completion.replaceFirst('/','');

                    system.debug('Third$' + completion);
                }
                savePage = new PageReference('/' + completion);

                savePage.setRedirect(true);
                return savePage;


            } catch (exception e) {
                ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'Unable to update requisitions.  Exception: ' + e.getMessage()));
                return null;
            }
        } else {
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR, 'You do not have permission to update requisitions'));
            return null;
        }
    }

 
23 replies

Stuck - Learn Standard Open Redirect Preventions

I'm currently stuck on the "Learn Standard Open Redirect Preventions" challenge of the "App Logic Vulnerability Prevention" module.

The challenge is to submit a valid open redirect attack starting from the Standard Redirect Protections Challenge tab.

However, the links on this page are all to standard record pages, where the hack (e.g changing retURL to returl) won't work (it only works on VF pages).

Even if I attempt this and check the challenge, the error I get states: "It doesn't appear that you've successfully redirected to an external website using the Visualforce page. Please try again." - so it implies that it expects me executing this from a custom VF page.

Can anyone give me some advice on where I'm missing something on the challenge?