Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi kuza55,
Are you trying the payload that includes the tilde or the one without?
The one with the tilde (~) only works if the payload returns after an
opening angle bracket (<).
Please see: http://www.procheckup.com/Vulnerability_PR08-20.php
And yes, it also works on IE7. Just tried it on a live environment last
week.
kuza55 wrote:
> Sorry for digging this up, but I can't replicate your findings on the
> IE7 version you claim is vulnerable on your advisory.
>
> Your paper seems to say you only tested this on IE 5.5 and IE6 (no
> mention of IE7), so does is that the case, or am I just doing it
> wrong?
>
> 2008/8/22 ProCheckUp Research <research@xxxxxxxxxxxxxx>:
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
> filters and also details the trial-and-error procedure that was followed
> to reverse-engineer such filters by analyzing .NET debug errors.
>
> The original version of this paper was released in January 2006 for
> private CPNI distribution. This paper has now been updated in August
> 2008 to include additional materials such as input payloads that bypass
> the latest anti-XSS .NET patches (MS07-40) released in July 2007.
>
> Paper:
>
> http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
>
>
> Advisory:
>
> http://www.procheckup.com/Vulnerability_PR08-20.php
>>
-
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
>>
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
>>
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIxN1JoR/Hvsj3i8sRAv14AKCa6DCX9aUmEOMoey8BKxwFTDJHdgCeK6yG
Cs+5wbxgZollx7U0qQYX/F0=
=RU0G
-----END PGP SIGNATURE-----