Bypassing ASP.NET XSS Filters

April 10th, 2007 by dk

pagvac from ProCheckUp released an advisory on how to bypass ASP.NET XSS validation.

This attack is only possible with Internet Explorer users as it exploits the old IE CSS comment hack; a very creative find indeed from the guys at ProCheckUp.

Proof of Concept:

Alert box injection - simply provided for testing purposes
(may cause DoS issues on Internet Explorer)
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression
(alert('XSS'))>

ASP.NET will also escape double quotes("), so although a number .NET servers are vulnerable to this, it is somewhat mitigated by this fact.

ASP Auditor (with a little mod) could be used to test if your web server(s) are vulnerable. Let me know if your interested. I hope to add this check to the tool shortly.

6 Comments so far

  1. pagvac @ April 18th, 2007

    it’s true that ASP .NET escapes double quotes thanks to its built-in request filtering which is enabled by default on ASP .NET 1.1.X and 2.0.x.

    the following is a typical situation you’ll come across a lot:

    <form name="Form1" method="post" action="Search.aspx?Start=0&amp;s=</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>" id="Form1">

    which means that we need to inject a quotation mark ‘”‘ in order to escape the ‘action’ attribute.

    however, keep in mind that this is not always the case, as sometimes there is not need to evade quotation marks.

    I’d say on avarage this filter bypass allows you to increase XSS on ASP .NET sites by 15-20%. if someone managed to escape quotation marks I would guess that it would increase the exploitation to >=90% of ASP .NET sites. this is just a guess anyways.

    Please note that although further researched by me and Jan Fry the bypass was originally found by Richard Brain.

  2. pagvac @ April 18th, 2007

    Sorry, code got filtered before. Here is the safe version:

    <form name="Form1" method="post" action="Search.aspx?Start=0&amp;s=</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>" id="Form1">

  3. pagvac @ April 20th, 2007

    btw dwk, if the maximum length of the payload is an issue the following shortened version might help (also gets rendered by IE 7 and goes through ASP .NET 2.x filter):

    <//STYLE=x:e/**/xpression(alert('xss'))>

  4. David Kierznowski @ April 20th, 2007

    As I said man, very nice - I dont think this is even on ha.ckers.org cheat sheet.

  5. Operation n » ASP Auditor v2 BETA @ April 20th, 2007

    […] support for Anti-XSS Validation detection. # * Added ASP Source Directory Leak Check # * Added Apr/07 ASP.NET Validation Bypass Check # # –v2.1– 25/Sep/06 # * GET /Trace.axd often leaks […]

  6. Operation n » ASP-Auditor v2.2 Release @ April 20th, 2007

    […] support for Anti-XSS Validation detection. # Added ASP Source Directory Leak Check # Added Apr/07 ASP.NET Validation Bypass […]

Leave a reply

Recent

Sponsored links