[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Seeker Adv MS-06 - .Net Cross Site Scripting - Request Validation Bypassing
From: "Seeker Research Center" <qsrc () quotium ! com>
Date: 2012-08-29 16:26:21
Message-ID: 60B5D660C1B1784B89E17AC8559A5C7901B214C5 () exbe-tel ! ad ! hosteam ! fr
[Download RAW message or body]
.Net Cross Site Scripting - Request Validation Bypassing
==========================================
Seeker Research Center
By Zamir Paltiel, August 2012
Overview
========
A vulnerability in the .Net Request Validation mechanism allows bypassing the filter \
and execution of malicious scripts in the browsers of users via Cross Site Scripting \
attacks. The exploitation technique explained here allows sending tags through the \
Request Validation Filter in a manner that will pass browser syntax and be rendered \
by browsers.
Details
========
The .Net Request Validation mechanism prevents attackers from sending tags as the \
value of the parameters. It is however possible to bypass this mechanism and send \
arbitrary tags that facilitate script execution. This is caused by the fact that \
although <tag> is restricted by the Request Validation filter, <%tag> is not \
restricted but parsed by Internet Explorer browsers as a valid tag.
Exploit
=======
An example of the exploitation of this vulnerability would be crafting a link to a \
page that reflects a parameter value to the user. As the value of the parameter the \
attacker would provide a <%tag> with the style attribute and an expression, for \
example: http://www.vulnerablesite.com/login.aspx?param=<%tag \
style="xss:expression(alert(123))" > This will bypass the filter and execute the \
script in the brackets.
Affected Systems
================
This vulnerability has been tested on .Net frameworks 2.0 and above.
Vendor Response
===============
“The Request Validation Feature in ASP.NET is designed to perform basic input \
validation. It is not designed to make security decisions for applications developed \
using ASP.NET. Only the original developers can determine what content the ASP.NET \
application is designed to process and handle. Microsoft recommends that all \
software developers perform input/data validation of all sources. We do this to \
encourage our customers to make more robust applications that are less susceptible to \
security issues. The Request Validation Feature was designed and released to help \
developers in this effort. For more information about our recommendations to \
software developers, please see the following MSDN article: \
http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidation.”
Microsoft therefore will not be releasing a fix for this issue.
Credit
======
This vulnerability has been identified by Zamir Paltiel, Seeker Research Center.
For more information please visit \
http://www.quotium.com/prod/ResearchCenter/XSS-NetrequestValidation.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic