I would like to limit any redirects to URLs within the same application. Is this possible with ISAPI Rewrite (mod_rewrite for IIS)? Basically I want to prevent against open redirection attacks.
One example is where a URL may come from a query string, or some other source. I want to check that any use of that URL, for a redirect, is only permitted if it's within the same domain. For example: Response.Redirect("some URL");
Mine is an ASP.NET application, running under IIS 6.
On
You'll need to do that check on ASP.NET side, not to allow redirects outside your domain. Once redirect instruction is sent to client, your server will never get another chance to bump in because client will immediately go to other domain. If you don't control ASP.NET code of this application you may try to use Helicon Ape (instead of ISAPI_Rewrite). Helicon Ape has more features and also offers outbound response rewrites, so it may intercept "redirect" response of your application before it is sent to client. Two options are available:
You can try to use the following to check the domain in query string and show 403 Forbidden if it's an external one: