BugTraq
Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks Sep 08 2008 08:07AM
ProCheckUp Research (research procheckup com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi kuza55,

Are you trying the payload that includes the tilde or the one without?

The one with the tilde (~) only works if the payload returns after an
opening angle bracket (<).

Please see: http://www.procheckup.com/Vulnerability_PR08-20.php

And yes, it also works on IE7. Just tried it on a live environment last
week.

kuza55 wrote:
> Sorry for digging this up, but I can't replicate your findings on the
> IE7 version you claim is vulnerable on your advisory.
>
> Your paper seems to say you only tested this on IE 5.5 and IE6 (no
> mention of IE7), so does is that the case, or am I just doing it
> wrong?
>
> 2008/8/22 ProCheckUp Research <research (at) procheckup (dot) com [email concealed]>:
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
> filters and also details the trial-and-error procedure that was followed
> to reverse-engineer such filters by analyzing .NET debug errors.
>
> The original version of this paper was released in January 2006 for
> private CPNI distribution. This paper has now been updated in August
> 2008 to include additional materials such as input payloads that bypass
> the latest anti-XSS .NET patches (MS07-40) released in July 2007.
>
> Paper:
>
> http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
>
>
> Advisory:
>
> http://www.procheckup.com/Vulnerability_PR08-20.php
>>
-
------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec
>>
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
>>
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIxN1JoR/Hvsj3i8sRAv14AKCa6DCX9aUmEOMoey8BKxwFTDJHdgCeK6yG
Cs+5wbxgZollx7U0qQYX/F0=
=RU0G
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus