To understand the title, let us see this example.
Assume that we have two pages as following:
- Admin Page (Only can accessible by login users)
- No Access Page (Redirect page to show the anonymous user that you don’t have access to admin page)
Admin page has the following critical information
No Access page show the following message to anonymous user
Now to prevent the anonymous user to access the admin page, I used the below code in the page load event to redirect the user to No access page using Response.RedirectLocation
If you try to access the admin.aspx page using the browsers, then you will get this result
But if you try to use tool like HTML Editor which belong to Acunetix then you will get the following result
The reason for this vulnerability that Response.RedirectLocation doesn’t terminate the response because the above client tool is not based on Web behavior so no direction happened and we able to see the content of admin page.
To fix this issue, simply add Response.End() or instead of this , you can use Respose.Redirect which internally call Response.End() to stop processing the result
For more details