Comments on: Bypassing ASP.NET XSS Filters

By: Operation n » ASP-Auditor v2.2 Release

Operation n » ASP-Auditor v2.2 Release — Fri, 20 Apr 2007 22:30:12 +0000

[...] support for Anti-XSS Validation detection. # Added ASP Source Directory Leak Check # Added Apr/07 ASP.NET Validation Bypass [...]

By: Operation n » ASP Auditor v2 BETA

Operation n » ASP Auditor v2 BETA — Fri, 20 Apr 2007 22:29:49 +0000

[...] support for Anti-XSS Validation detection. # * Added ASP Source Directory Leak Check # * Added Apr/07 ASP.NET Validation Bypass Check # # –v2.1– 25/Sep/06 # * GET /Trace.axd often leaks [...]

By: David Kierznowski

David Kierznowski — Fri, 20 Apr 2007 18:38:46 +0000

As I said man, very nice – I dont think this is even on ha.ckers.org cheat sheet.

By: pagvac

pagvac — Fri, 20 Apr 2007 14:22:58 +0000

btw dwk, if the maximum length of the payload is an issue the following shortened version might help (also gets rendered by IE 7 and goes through ASP .NET 2.x filter):

By: pagvac

pagvac — Wed, 18 Apr 2007 16:16:55 +0000

Sorry, code got filtered before. Here is the safe version:

By: pagvac

pagvac — Wed, 18 Apr 2007 16:14:45 +0000

it’s true that ASP .NET escapes double quotes thanks to its built-in request filtering which is enabled by default on ASP .NET 1.1.X and 2.0.x.

the following is a typical situation you’ll come across a lot:

which means that we need to inject a quotation mark ‘”‘ in order to escape the ‘action’ attribute.

however, keep in mind that this is not always the case, as sometimes there is not need to evade quotation marks.

I’d say on avarage this filter bypass allows you to increase XSS on ASP .NET sites by 15-20%. if someone managed to escape quotation marks I would guess that it would increase the exploitation to >=90% of ASP .NET sites. this is just a guess anyways.

Please note that although further researched by me and Jan Fry the bypass was originally found by Richard Brain.