Open Redirect Protection Is Now Included in Sitefinity CMS11.1: Here Is How It Functions
Website security is one of the most important things that needs to be considered by the developers to protect it against any cyber-attacks. Sitefinity CMS is a leading software that allows business owners to create rich and functional websites.
Having a basic web security habit is important. Considering this Sitefinity 11.1 Version has come up with a built in redirect validation mechanism that helps to protect the site against any redirect vulnerabilities. This helps to reduce attacks from the hackers.
To keep your website safe, it is recommended that you should adopt the basic web security habits of checking the hyperlinks before clicking them.
But in real life and with a busy schedule and having to open hundreds of links to gather information, this appears to be infeasible at times. The truth is, users never have so much time to inspect every link to check if they are unsafe to use.
Sitefinity 11.1 has taken a lot of burden out of your plate by-
Introducing the Open Redirect Protection as Part of the Web Security Module
I will discuss the problem in details and help you understand how Sitefinity CMS helps to solve the issue:
Let’s assume that you are the owner of a popular ecommerce website and the URL is http://testwebsite.com it has some logic assigned based on the query string value which redirects the users to the desired payment provider.
Now a cyber-attacker exploits this vulnerability by creating a site that has a similar look and feel having a payment provider that you are using.
Since your site is a popular one, it is also easy for the attackers to send fraud emails having “Confirm your payment details” subject line to the users.
Now this email will contain a hyperlink that will lead to your site, but in the query string they will pass the URL of the duplicate site. Here is how it functions for the unsuspecting user:
- The user gets the link in the email and clicks it
- A browser opens to serve the link, and then sends a request to the server.
- Now the server processes the query and sends the answer to the browser, thereby asking it to take the user to another location i.e. the duplicate site
- The user doesn’t notice the problem and proceeds by making their payment details.
How Sitefinity 11.1 CMS Helps?
The web security modules work by verifying a detected redirect attempt against the whitelist of trusted domains. If in case the module detects a redirection to a domain that is not trusted, it intercepts the attempt and displays a warning message instead of redirecting it to the malicious site.
The users can now decide on whether to proceed or not, thereby offering higher security to the original website. The redirect validation feature is smart to detect any attempts to external domains.
But the redirect validation will not provide any protection if the user clicks on the link which directly points to the external domain.
Redirect validation is now enabled by default for all Sitefinity CMS based projects so that you remain protected from any false transactions.
This feature in not present by default for any upgraded projects, so make sure to add it to your upgrade to-do checklist.