[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] .Net Cross Site Scripting - Request Validation Bypassing
From: "Seeker Research Center" <qsrc () quotium ! com>
Date: 2012-08-29 15:58:32
Message-ID: 60B5D660C1B1784B89E17AC8559A5C7901B2B298 () exbe-tel ! ad ! hosteam ! fr
[Download RAW message or body]
--===============1581712922==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CD85FF.23808857"
This is a multi-part message in MIME format.
.Net Cross Site Scripting - Request Validation Bypassing
========================================================
Seeker Research Center
By Zamir Paltiel, August 2012
Overview
========
A vulnerability in the .Net Request Validation mechanism allows bypassing the filter and \
execution of malicious scripts in the browsers of users via Cross Site Scripting attacks. The \
exploitation technique explained here allows sending tags through the Request Validation Filter \
in a manner that will pass browser syntax and be rendered by browsers.
Details
========
The .Net Request Validation mechanism prevents attackers from sending tags as the value of the \
parameters. It is however possible to bypass this mechanism and send arbitrary tags that \
facilitate script execution. This is caused by the fact that although <tag> is restricted by \
the Request Validation filter, <%tag> is not restricted but parsed by Internet Explorer \
browsers as a valid tag.
Exploit
=======
An example of the exploitation of this vulnerability would be crafting a link to a page that \
reflects a parameter value to the user. As the value of the parameter the attacker would \
provide a <%tag> with the style attribute and an expression, for example: \
http://www.vulnerablesite.com/login.aspx?param=<%tag style="xss:expression(alert(123))" > This \
will bypass the filter and execute the script in the brackets.
Affected Systems
================
This vulnerability has been tested on .Net frameworks 2.0 and above.
Vendor Response
===============
“The Request Validation Feature in ASP.NET is designed to perform basic input validation. It \
is not designed to make security decisions for applications developed using ASP.NET. Only the \
original developers can determine what content the ASP.NET application is designed to process \
and handle. Microsoft recommends that all software developers perform input/data validation of \
all sources. We do this to encourage our customers to make more robust applications that are \
less susceptible to security issues. The Request Validation Feature was designed and released \
to help developers in this effort. For more information about our recommendations to software \
developers, please see the following MSDN article: \
http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidation.” \
Microsoft therefore will not be releasing a fix for this issue.
Credit
======
This vulnerability has been identified by Zamir Paltiel, Seeker Research Center.
For more information please visit \
http://www.quotium.com/prod/ResearchCenter/XSS-NetrequestValidation.php
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>.Net Cross Site Scripting - Request Validation Bypassing</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>.Net Cross Site Scripting - Request Validation Bypassing<BR>
========================================================<BR>
Seeker Research Center<BR>
By Zamir Paltiel, August 2012<BR>
<BR>
Overview<BR>
========<BR>
A vulnerability in the .Net Request Validation mechanism allows bypassing the filter and \
execution of malicious scripts in the browsers of users via Cross Site Scripting attacks.<BR> \
The exploitation technique explained here allows sending tags through the Request Validation \
Filter in a manner that will pass browser syntax and be rendered by browsers.<BR> <BR>
Details<BR>
========<BR>
The .Net Request Validation mechanism prevents attackers from sending tags as the value of the \
parameters. It is however possible to bypass this mechanism and send arbitrary tags that \
facilitate script execution.<BR> This is caused by the fact that although <tag> is \
restricted by the Request Validation filter, <%tag> is not restricted but parsed by \
Internet Explorer browsers as a valid tag.<BR> <BR>
Exploit<BR>
=======<BR>
An example of the exploitation of this vulnerability would be crafting a link to a page that \
reflects a parameter value to the user.<BR> As the value of the parameter the attacker would \
provide a <%tag> with the style attribute and an expression, for example: <A \
HREF="http://www.vulnerablesite.com/login.aspx?param=">http://www.vulnerablesite.com/login.aspx?param=</A><%tag \
style="xss:expression(alert(123))" ><BR> This will bypass the filter and execute \
the script in the brackets.<BR> <BR>
Affected Systems<BR>
================<BR>
This vulnerability has been tested on .Net frameworks 2.0 and above.<BR>
<BR>
Vendor Response<BR>
===============<BR>
“The Request Validation Feature in ASP.NET is designed to perform basic input \
validation. It is not designed to make security decisions for applications developed \
using ASP.NET. Only the original developers can determine what content the ASP.NET \
application is designed to process and handle. Microsoft recommends that all software \
developers perform input/data validation of all sources. We do this to encourage our \
customers to make more robust applications that are less susceptible to security issues. \
The Request Validation Feature was designed and released to help developers in this \
effort. For more information about our recommendations to software developers, please see \
the following MSDN article:<BR> <A \
HREF="http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidatio \
n">http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidation</A>.”<BR>
Microsoft therefore will not be releasing a fix for this issue.<BR>
<BR>
Credit<BR>
======<BR>
This vulnerability has been identified by Zamir Paltiel, Seeker Research Center.<BR>
For more information please visit <A \
HREF="http://www.quotium.com/prod/ResearchCenter/XSS-NetrequestValidation.php">http://www.quotium.com/prod/ResearchCenter/XSS-NetrequestValidation.php</A><BR>
</FONT>
</P>
</BODY>
</HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1581712922==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic