'Seeker Adv MS-06 - .Net Cross Site Scripting - Request Validation Bypassing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Seeker Adv MS-06 - .Net Cross Site Scripting - Request Validation Bypassing
From:       "Seeker Research Center" <qsrc () quotium ! com>
Date:       2012-08-29 16:26:21
Message-ID: 60B5D660C1B1784B89E17AC8559A5C7901B214C5 () exbe-tel ! ad ! hosteam ! fr
[Download RAW message or body]


.Net Cross Site Scripting - Request Validation Bypassing
==========================================
Seeker Research Center
By Zamir Paltiel, August 2012

Overview
========
A vulnerability in the .Net Request Validation mechanism allows bypassing the filter \
and execution of malicious scripts in the browsers of users via Cross Site Scripting \
attacks. The exploitation technique explained here allows sending tags through the \
Request Validation Filter in a manner that will pass browser syntax and be rendered \
by browsers.

Details
========
The .Net Request Validation mechanism prevents attackers from sending tags as the \
value of the parameters. It is however possible to bypass this mechanism and send \
arbitrary tags that facilitate script execution. This is caused by the fact that \
although <tag> is restricted by the Request Validation filter, <%tag> is not \
restricted but parsed by Internet Explorer browsers as a valid tag.

Exploit
=======
An example of the exploitation of this vulnerability would be crafting a link to a \
page that reflects a parameter value to the user. As the value of the parameter the \
attacker would provide a <%tag> with the style attribute and an expression, for \
example: http://www.vulnerablesite.com/login.aspx?param=<%tag \
style="xss:expression(alert(123))" > This will bypass the filter and execute the \
script in the brackets.

Affected Systems
================
This vulnerability has been tested on .Net frameworks 2.0 and above.

Vendor Response
===============
“The Request Validation Feature in ASP.NET is designed to perform basic input \
validation.  It is not designed to make security decisions for applications developed \
using ASP.NET.  Only the original developers can determine what content the ASP.NET \
application is designed to process and handle.  Microsoft recommends that all \
software developers perform input/data validation of all sources.  We do this to \
encourage our customers to make more robust applications that are less susceptible to \
security issues.  The Request Validation Feature was designed and released to help \
developers in this effort.  For more information about our recommendations to \
software developers, please see the following MSDN article: \
http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidation.”
 Microsoft therefore will not be releasing a fix for this issue.

Credit
======
This vulnerability has been identified by Zamir Paltiel, Seeker Research Center.
For more information please visit \
http://www.quotium.com/prod/ResearchCenter/XSS-NetrequestValidation.php 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic