Full Disclosure mailing list archives
Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message
From: Mark Steward <marksteward () gmail com>
Date: Sat, 29 Nov 2014 02:44:34 +0000
I've spotted this before and ignored it because it's all HTML-escaped. You can actually put as much as you like before the equals, presumably including script tags. You can also include enough after the equals to write something like "<iframe src=//xy.co>". Where are you seeing it unescaped? Is it some third-party handler? Try on a clean install with just an empty .aspx and a web.config with an empty configuration element. Mark On 29 Nov 2014 01:51, "A Z" <kryptos.gnostikos () gmail com> wrote:
Hello everyone,
I found some weird HTML code injection in an IIS error message. IIS spits
out some part of the user input that generated the error message, but will
only display 20 characters at most.
My question is: is it possible to actually exploit an XSS with this ?
Here is an example:
HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
HTTP Response (real):
<p>An error has occured.</p>
<p>Exception HttpRequestValidationException occurred while attempting
<b>mypage</b></p>
<p>Exception message is: <b>A potentially dangerous Request.QueryString
value was detected from the client (search="<b
onclick=alert(1)>...").</b></p>
<p>Stack trace:</p>
<pre>
Server stack trace:
[..]
My payload was: <b onclick=alert(1)>> and it works (after clicking).
However, can this actually be exploited in real life ? I tried stuff in 20
characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
Has anyone ever tried this before ?
Thanks,
P.S. This might be a silly question with an obvious answer. If so, I'd be
grateful to have some extra information (links, docs etc.).
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message waysea (Dec 03)
- <Possible follow-ups>
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message Mark Steward (Dec 03)
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message James Hooker (Dec 03)
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message A Z (Dec 03)
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message Barry Dorrans (Dec 04)