Page_load method may leak server-side conditional values, enabling user tracking from another website

Question

I am getting Cross Site History Manipulation issue on a Checkmarx scan of my solution.

The issue I am getting is: Method Page_Load at line 40 of xyz\abc.aspx.cs may leak server-side conditional values, enabling user tracking from another website. This may constitute a Privacy Violation. THIS IS THE CODE AND I AM GETTING THE ERROR ON LINE (*)

protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            lblErrorMsg.Text = "";
            lblErrorMsg.Visible = false;

            if (!IsPostBack)
            {
                //Code to get the content page name.
                string[] strPageInfo = HttpContext.Current.Request.ServerVariables.GetValues("PATH_INFO");
                string strPage = strPageInfo[0].Substring(strPageInfo[0].LastIndexOf('/') + 1, ((strPageInfo[0].Length - strPageInfo[0].LastIndexOf("/")) - 1)).ToLower();

                msg.MessageText = "Verifying access";
                oLogger.LogInfo(msg, "Verifying access");

                //firstly, check whether the logged-in user is authorized to view the page
                ManageAuthorization.CheckAccess(strPage, out BoolAccess);

                if (BoolAccess)
                {
                    msg.MessageText = "Authorized to perform operations";
                    oLogger.LogInfo(msg, "Authorized to perform operations");
                }
                else
                {
                    ////display unauthorized screen
                    msg.MessageText = "Unauthorized to perform operations";
                    oLogger.LogWarning(msg, "Unauthorized to perform operations");
                    RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
                    var byteArray = new byte[4];
                    var randomInteger = BitConverter.ToUInt32(byteArray, 0);
                    Response.Redirect(String.Format("../Default/Unauthorized.aspx?r={0}",randomInteger),true);
                }
            }
        }
        catch (Exception ex)
        {
            msg.MessageText = "Error while loading the page, Exception is:" + ex.Message;
            oLogger.LogMessage(LogCategory.Error, msg);
        }
    }

I am not getting any proper answer how can I fix this, please can anybody help. Thanks in advance :)

Answer 1

Checkmarx is marking this as a vulnerability because a threat agent could potentially compromise the browser's SOP and may leak user information through activity inference.

To remediate this, you need to add a random value in your Redirects:

msg.MessageText = "Unauthorized to perform operations";
oLogger.LogWarning(msg, "Unauthorized to perform operations");

RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
var byteArray = new byte[4];
provider.GetBytes(byteArray);
var randomInteger = BitConverter.ToUInt32(byteArray, 0);

Response.Redirect(String.Format("../Default/Unauthorized.aspx?r={0}", randomInteger), true);