Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks Sep 08 2008 08:07AM
ProCheckUp Research (research procheckup com)
Hash: SHA1

Hi kuza55,

Are you trying the payload that includes the tilde or the one without?

The one with the tilde (~) only works if the payload returns after an
opening angle bracket (<).

Please see: http://www.procheckup.com/Vulnerability_PR08-20.php

And yes, it also works on IE7. Just tried it on a live environment last

kuza55 wrote:
> Sorry for digging this up, but I can't replicate your findings on the
> IE7 version you claim is vulnerable on your advisory.
> Your paper seems to say you only tested this on IE 5.5 and IE6 (no
> mention of IE7), so does is that the case, or am I just doing it
> wrong?
> 2008/8/22 ProCheckUp Research <research (at) procheckup (dot) com [email concealed]>:
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
> filters and also details the trial-and-error procedure that was followed
> to reverse-engineer such filters by analyzing .NET debug errors.
> The original version of this paper was released in January 2006 for
> private CPNI distribution. This paper has now been updated in August
> 2008 to include additional materials such as input payloads that bypass
> the latest anti-XSS .NET patches (MS07-40) released in July 2007.
> Paper:
> http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
> Advisory:
> http://www.procheckup.com/Vulnerability_PR08-20.php
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn

Version: GnuPG v1.4.6 (GNU/Linux)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus