Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
A potentially dangerous Request.QueryString value was detected
Posted by: asilvermtzion
Date: July 27, 2008 11:21AM

Not run into this before (ASP built in detection), anyone know how this works and what it's based on?

Options: ReplyQuote
Re: A potentially dangerous Request.QueryString value was detected
Posted by: r0ckph1sh
Date: July 27, 2008 08:24PM

It's based on two routines that are called by the System.Web.HttpRequest class during it's validation and parsing phase.

The relevant code is :

internal static bool IsDangerousString(string s, out int matchIndex)
{
matchIndex = 0;
int startIndex = 0;
while (true)
{
int num2 = s.IndexOfAny(startingChars, startIndex);
if (num2 < 0)
{
return false;
}
if (num2 == (s.Length - 1))
{
return false;
}
matchIndex = num2;
char ch = s[num2];
if (ch != '&')
{
if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) || (s[num2 + 1] == '!')) || (s[num2 + 1] == '/')))
{
return true;
}
}
else if (s[num2 + 1] == '#')
{
return true;
}
startIndex = num2 + 1;
}
}




internal static bool IsDangerousUrl(string s)
{
if (string.IsNullOrEmpty(s))
{
return false;
}
s = s.Trim();
int length = s.Length;
if (((((length > 4) && ((s[0] == 'h') || (s[0] == 'H'))) && ((s[1] == 't') || (s[1] == 'T'))) && (((s[2] == 't') || (s[2] == 'T')) && ((s[3] == 'p') || (s[3] == 'P')))) && ((s[4] == ':') || (((length > 5) && ((s[4] == 's') || (s[4] == 'S'))) && (s[5] == ':'))))
{
return false;
}
if (s.IndexOf(':') == -1)
{
return false;
}
return true;
}

Options: ReplyQuote
Re: A potentially dangerous Request.QueryString value was detected
Posted by: r0ckph1sh
Date: July 27, 2008 08:26PM

You can use Lutz Roeder's Reflector to view the code directly in the System.Web.CrossSiteScriptingValidation class.

btw, does this forum support [ code ] tags?

Options: ReplyQuote
Re: A potentially dangerous Request.QueryString value was detected
Posted by: asilvermtzion
Date: July 28, 2008 09:13AM

Ha, thanks. I'm too lazy to install visual studio etc. it seems reasonably effective, at least it detects tags or events and some keywords. There is definitely scope to work around it though given it's "blacklisting" approach.

Options: ReplyQuote
Re: A potentially dangerous Request.QueryString value was detected
Posted by: PaPPy
Date: February 01, 2010 08:19AM

ive come across a lot of sites with this.
but if the XSS is into a link or into javascript you can still exploit using quotes, onmouse events and other javascript if your in tags

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.