WebApp Sec mailing list archives

RE: ISS6 - ASP.NET

From: <webappsec () technicalinfo net>
Date: Tue, 09 Sep 2003 15:53:59 +0100

Observations below:::

Anyone been playing with ASP.NET and the error message it 
automagically creates? Given the following helpful error message, what 
experience have other people had
SUCCESSFULLY exploiting this type of vuln on IIS6, given the 
comprehensive automated response?

1. This particular error is a new feature of the 1.1 runtime - the intention is to help prevent XSS attacks. However,
as with all approaches that assume user input is good until proven otherwise (instead of assuming that it is bad until
proven otherwise) there have already been challenges to the completeness of this prevention. Specifically, I believe
that if you pass a <script> tag with the null character following the initial < character, you will trick the filter,
but IE will ignore the character and execute the script. I have not had the opportunity to validate this myself, but
given the general approach I suggest that if this is not possible, something is.
<WebAppSec> Thanks for that, but I had already tried null characters and various forms of encoding (allowed and
non-allowed characters plus formats). It appears that and %encoding or unicode forms are translated and stripped at
the server-end unless they equate to something "allowable". SQL syntax dosn't work at the moment either.
It appears that the trigger is Quote-GreaterThan-LessThan-AnyotherCharacter. Quote-GreaterThan-LessThan is not
enough... strange choice of trigger?

2. The second portion of your question relates to the comprehensiveness of the response, which is clearly a
vulnerability. Go into the web.config and turn customErrors to on and you can direct the error information you can give
back, rather than giving the caller a complete stack trace. This mode is intended to be used while in development only.
<WebAppSec> I've advised the client to revoke the sessionID and do a server-side redirect back to the main/login page
as the process for dealing with any errors.

Cheers.

http://www.technicalinfo.net

Current thread:

ISS6 - ASP.NET webappsec (Sep 09)
- Re: ISS6 - ASP.NET H D Moore (Sep 09)
- RE: ISS6 - ASP.NET TUER, DON (Sep 09)
- <Possible follow-ups>
- RE: ISS6 - ASP.NET Jackson, Chris (Sep 09)
  - Re: ISS6 - ASP.NET Ernie Nelson (Sep 09)
- RE: ISS6 - ASP.NET webappsec (Sep 09)