Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
The ha.ckers.org and sla.ckers.org web application security lab house rules and a place for you to introduce yourself if you like. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hello
Posted by: sjensen
Date: October 30, 2006 09:35PM

Been reading the forums for a while, was finally able to register (hotmail account never recieved registration email, so I ended up registering with my work email).

My background. I've spent the last 6 years as a web developer, the last 4 doing .NET exclusively. I've been dabbling in web app security for about 3 years now. I start a new job in my department in about 2 weeks, I'll be doing penetration testing for all of my companies web based applications. So anything ASP.NET security related I would be very interested in.

I read last week that a request validation bypass was discovered in .NET. Apparently, a well crafted request can bypass the built-in validation and allow for XSS attacks. Anyway, I've been racking my brain for the past 4 days attempting to discover how the vulnerability is implemented. If anyone happens to know how this is exploited, please share...

Anyway, just wanted to introduce myself.



Edited 1 time(s). Last edit at 11/18/2006 07:31PM by sjensen.

Options: ReplyQuote
Re: Hello
Posted by: Kyran
Date: October 30, 2006 09:49PM

Nice to see another former-lurker-gone-active. ;)
Welcome!

- Kyran

Options: ReplyQuote
Re: Hello
Posted by: rsnake
Date: October 30, 2006 09:59PM

Welcome sjensen, nice to have you aboard... I haven't seen that disclosure. Can you point me to it? I don't have a .NET environment but I should probably set one up on my lab machine. Currently my lab is in sad shape (too many side projects lately), but hopefully in the next few weeks I can get some of it back up and running again.

Anyway, welcome!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hello
Posted by: sjensen
Date: October 31, 2006 09:36AM

The advisory is located at the link below. I'm not sure if the vulnerability is specific to a particular culture setting or not.

http://www.niscc.gov.uk/niscc/docs/br-20061020-00711.html?lang=en

Options: ReplyQuote
Re: Hello
Posted by: digi7al64
Date: November 02, 2006 05:53PM

@sjensen - the vunerability they are talking about is .nets client side form validation controls

for instance consider the following which appears in a html form in a dot net page...

1
<span id="_ctl3" controltovalidate="frmname" errormessage="Your name is required <br/>" display="Dynamic" evaluationfunction="RequiredFieldValidatorEvaluateIsValid" initialvalue="" style="color:Red;display:none;">Your name is required <br/></span>

2
<input name="frmname" type="text" maxlength="30" id="frmname" class="ipt" />

1 causes 2 to be validated at runtime in the postback method. Hence to bypass this check i simple edit the html source code and manually remove 1 from it.. Thus on the postback no validation on that control is called and therefore i can possible input anything i like.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 11/02/2006 05:55PM by digi7al64.

Options: ReplyQuote
Re: Hello
Posted by: sjensen
Date: November 03, 2006 11:32AM

@digi7al64,

Actually, I think it's deeper than that. Even though you can bypass the validator controls the request itself is still sent and validated through the System.Web.ClientSideScriptingValidation class which would capture any basic XSS attack.

I think the vulnerablity lies in how a request can be created to not be caught by the System.Web.ClientSideScriptingValidation class.

The System.Web.ClientSideScriptingValidation class consists of the class constructor and 3 distinct functions listed below.

This is the class constructor
Shared Sub New()
CrossSiteScriptingValidation.startingChars = New Char() { "<"c, "&"c }
End Sub

Friend Shared Function IsDangerousUrl(ByVal s As String) As Boolean
If String.IsNullOrEmpty(s) Then
Return False
End If
s = s.Trim
Dim num1 As Integer = s.Length
If (((((num1 > 4) AndAlso ((s.Chars(0) = "h"c) OrElse (s.Chars(0) = "H"c))) AndAlso ((s.Chars(1) = "t"c) OrElse (s.Chars(1) = "T"c))) AndAlso (((s.Chars(2) = "t"c) OrElse (s.Chars(2) = "T"c)) AndAlso ((s.Chars(3) = "p"c) OrElse (s.Chars(3) = "P"c)))) AndAlso ((s.Chars(4) = ":"c) OrElse (((num1 > 5) AndAlso ((s.Chars(4) = "s"c) OrElse (s.Chars(4) = "S"c))) AndAlso (s.Chars(5) = ":"c)))) Then
Return False
End If
Dim num2 As Integer = s.IndexOf(":"c)
If (num2 = -1) Then
Return False
End If
Return True
End Function

Friend Shared Function IsDangerousString(ByVal s As String, <Out> ByRef matchIndex As Integer) As Boolean
matchIndex = 0
Dim num1 As Integer = 0
Do While True
Dim num2 As Integer = s.IndexOfAny(CrossSiteScriptingValidation.startingChars, num1)
If (num2 < 0) Then
Return False
End If
If (num2 = (s.Length - 1)) Then
Return False
End If
matchIndex = num2
Dim ch1 As Char = s.Chars(num2)
If (ch1 <> "&"c) Then
If ((ch1 = "<"c) AndAlso (CrossSiteScriptingValidation.IsAtoZ(s.Chars((num2 + 1))) OrElse (s.Chars((num2 + 1)) = "!"c))) Then
Return True
End If
ElseIf (s.Chars((num2 + 1)) = "#"c) Then
Return True
End If
num1 = (num2 + 1)
Loop
End Function

Private Shared Function IsAtoZ(ByVal c As Char) As Boolean
If ((c >= "a"c) AndAlso (c <= "z"c)) Then
Return True
End If
If (c >= "A"c) Then
Return (c <= "Z"c)
End If
Return False
End Function

Options: ReplyQuote


Sorry, only registered users may post in this forum.