Full Disclosure mailing list archives
Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message
From: A Z <kryptos.gnostikos () gmail com>
Date: Mon, 1 Dec 2014 11:43:48 +0100
Thank you all for the replies, Unfortunately, I can no longer really test this (it was on some internal network, so for example link shortening wouldn't work), but I wanted to know if anyone had encountered this stuff before. I should try on a clean install as suggested - if it works I'll let you know. For some unknown reason there was no HTML encoding in this error response, however the payload was truncated to 20 chars. I googled it and all I found was some discussion about the validateRequest attribute in web.config, however I didn't have the configuration of the server to check this. This was also part of some commercial app that uses IIS, but I think it's more related to IIS itself. Thanks all On Sat, Nov 29, 2014 at 7:37 AM, James Hooker <seidrhrafn () googlemail com> wrote:
You could skip the schema on any includes, and just use '//'. That will
then use the schema provided in the original URL. That will save you 4
characters at least. You can also skip most quotes in tags - that will save
you a few more characters. Link shortening services might also be of use,
however one that generates links short enough might be hard to come by -
more likely, you'll need a 3 character domain, with a 2 character extension
(such as UK, or IN).
You might be able a squeeze a script tag into that saved space.. *might*
Hello everyone,
I found some weird HTML code injection in an IIS error message. IIS spits
out some part of the user input that generated the error message, but will
only display 20 characters at most.
My question is: is it possible to actually exploit an XSS with this ?
Here is an example:
HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
HTTP Response (real):
<p>An error has occured.</p>
<p>Exception HttpRequestValidationException occurred while attempting
<b>mypage</b></p>
<p>Exception message is: <b>A potentially dangerous Request.QueryString
value was detected from the client (search="<b
onclick=alert(1)>...").</b></p>
<p>Stack trace:</p>
<pre>
Server stack trace:
[..]
My payload was: <b onclick=alert(1)>> and it works (after clicking).
However, can this actually be exploited in real life ? I tried stuff in 20
characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
Has anyone ever tried this before ?
Thanks,
P.S. This might be a silly question with an obvious answer. If so, I'd be
grateful to have some extra information (links, docs etc.).
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message waysea (Dec 03)
- <Possible follow-ups>
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message Mark Steward (Dec 03)
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message James Hooker (Dec 03)
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message A Z (Dec 03)
- Re: XSS (in 20 chars) in Microsoft IIS 7.5 error message Barry Dorrans (Dec 04)