HTML Form found in redirect page security risk

To understand the title, let us see this example.

Assume that we have two pages as following:

  1. Admin Page (Only can accessible by login users)
  2. No Access Page (Redirect page to show the anonymous user that you don’t have access to admin page)

Admin page has the following critical information


No Access page show the following message to anonymous user


Now to prevent the anonymous user to access the admin page, I used the below code in the page load event to redirect the user to No access page using Response.RedirectLocation


If you try to access the admin.aspx page using the browsers, then you will get this result


But if you try to use tool like HTML Editor which belong to Acunetix then you will get the following result


But why?

The reason for this vulnerability that Response.RedirectLocation doesn’t terminate the response because the above client tool is not based on Web behavior so no direction happened and we able to see the content of admin page.

To fix this issue, simply add Response.End() or instead of this , you can use Respose.Redirect which internally call Response.End() to stop processing the result


For more details


One thought on “HTML Form found in redirect page security risk

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s