RE: ISS6 - ASP.NET

["Jackson, Chris" <CJackson () bridgecom com>]

> Anyone been playing with ASP.NET and the error message it automagically
> creates?
> Given the following helpful error message, what experience have other
people had
> SUCCESSFULLY exploiting this type of vuln on IIS6, given the comprehensive
> automated response?

1. This particular error is a new feature of the 1.1 runtime - the intention
is to help prevent XSS attacks. However, as with all approaches that assume
user input is good until proven otherwise (instead of assuming that it is
bad until proven otherwise) there have already been challenges to the
completeness of this prevention. Specifically, I believe that if you pass a
<script> tag with the null character following the initial < character, you
will trick the filter, but IE will ignore the character and execute the
script. I have not had the opportunity to validate this myself, but given
the general approach I suggest that if this is not possible, something is.

2. The second portion of your question relates to the comprehensiveness of
the response, which is clearly a vulnerability. Go into the web.config and
turn customErrors to on and you can direct the error information you can
give back, rather than giving the caller a complete stack trace. This mode
is intended to be used while in development only.


-- 
Chris Jackson
Alpha Geek
Software Engineer
Microsoft MVP
-- 
"If you consistently have trouble finding Main(), I respectfully submit that
C# programming may not be for you." - Eric Gunnerson