Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks

From: ProCheckUp Research <research () procheckup com>
Date: Mon, 08 Sep 2008 09:07:37 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi kuza55,

Are you trying the payload that includes the tilde or the one without?

The one with the tilde (~) only works if the payload returns after an
opening angle bracket (<).

Please see: http://www.procheckup.com/Vulnerability_PR08-20.php

And yes, it also works on IE7. Just tried it on a live environment last
week.

kuza55 wrote:

Sorry for digging this up, but I can't replicate your findings on the
IE7 version you claim is vulnerable on your advisory.

Your paper seems to say you only tested this on IE 5.5 and IE6 (no
mention of IE7), so does is that the case, or am I just doing it
wrong?

2008/8/22 ProCheckUp Research <research () procheckup com>:
The Microsoft .NET framework comes with a request validation feature,
configurable by the ValidateRequest setting. ValidateRequest has been a
feature of ASP.NET since version 1.1. This feature consists of a series
of filters, designed to prevent classic web input validation attacks
such as HTML injection and XSS (Cross-site Scripting). This paper
introduces script injection payloads that bypass ASP .NET web validation
filters and also details the trial-and-error procedure that was followed
to reverse-engineer such filters by analyzing .NET debug errors.

The original version of this paper was released in January 2006 for
private CPNI distribution. This paper has now been updated in August
2008 to include additional materials such as input payloads that bypass
the latest anti-XSS .NET patches (MS07-40) released in July 2007.

Paper:

http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf


Advisory:

http://www.procheckup.com/Vulnerability_PR08-20.php



-
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec



Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/



Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIxN1JoR/Hvsj3i8sRAv14AKCa6DCX9aUmEOMoey8BKxwFTDJHdgCeK6yG
Cs+5wbxgZollx7U0qQYX/F0=
=RU0G
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: