Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks

2008.08.28
Credit: ProCheckUp Research;
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2008-3842 | CVE-2008-3843
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors. The original version of this paper was released in January 2006 for private CPNI distribution. This paper has now been updated in August 2008 to include additional materials such as input payloads that bypass the latest anti-XSS .NET patches (MS07-40) released in July 2007. Paper: http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf Advisory: http://www.procheckup.com/Vulnerability_PR08-20.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIrctJoR/Hvsj3i8sRAjEWAJ9DjcWdNiGcEykEphn71QJqzB05OgCeOznJ NVERfW1rIgUZyMWaKcMiSn8= =lTNm -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/archive/1/archive/1/495667/100/0/threaded
http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top