WebApp Sec mailing list archives

RE: ISS6 - ASP.NET

From: "TUER, DON" <don.tuer () cgi com>
Date: Tue, 9 Sep 2003 11:05:19 -0400

FYI: These error messages should be suppressed for production servers. You
have many options in ASP.NET as to what errors are shown to the client.
Trace messages such as the one listed below should only be provided to
developers...



-----Original Message-----
From: webappsec () technicalinfo net [mailto:webappsec () technicalinfo net] 
Sent: September 9, 2003 6:23 AM
To: pen-test () securityfocus com; webappsec () securityfocus com
Subject: ISS6 - ASP.NET

Anyone been playing with ASP.NET and the error message it automagically
creates?



Given the following helpful error message, what experience have other people
had SUCCESSFULLY exploiting this type of vuln on IIS6, given the
comprehensive automated response?





A potentially dangerous Request.QueryString value was detected from the
client (criteria="'><H1>Toss</H1>"). 

Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by setting
validateRequest=false in the Page directive or in the configuration section.
However, it is strongly recommended that your application explicitly check
all inputs in this case. 



Exception Details: System.Web.HttpRequestValidationException: A potentially
dangerous Request.QueryString value was detected from the client
(criteria="'><H1>Toss</H1>").



Source Error: 



An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.  



Stack Trace: 



[HttpRequestValidationException (0x80004005): A potentially dangerous
Request.QueryString value was detected from the client
(criteria="'><H1>Toss</H1>").]

   System.Web.HttpRequest.ValidateString(String s, String valueName, String
collectionName) +230

   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
nvc, String collectionName) +99

   System.Web.HttpRequest.get_QueryString() +113

   System.Web.UI.Page.GetCollectionBasedOnMethod() +83

   System.Web.UI.Page.DeterminePostBackMode() +47

   System.Web.UI.Page.ProcessRequestMain() +2075

   System.Web.UI.Page.ProcessRequest() +218

   System.Web.UI.Page.ProcessRequest(HttpContext context) +18

 
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionSte
p.Execute() +179

   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +87





----------------------------------------------------------------------------
----

Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
Version:1.1.4322.573 







Cheers.



http://www.technicalinfo.net/

Current thread:

ISS6 - ASP.NET webappsec (Sep 09)
- Re: ISS6 - ASP.NET H D Moore (Sep 09)
- RE: ISS6 - ASP.NET TUER, DON (Sep 09)
- <Possible follow-ups>
- RE: ISS6 - ASP.NET Jackson, Chris (Sep 09)
  - Re: ISS6 - ASP.NET Ernie Nelson (Sep 09)
- RE: ISS6 - ASP.NET webappsec (Sep 09)