[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks

From: kuza55 <kuza55@xxxxxxxxx>
Subject: Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
Date: Thu, 4 Sep 2008 15:43:43 +1000

Sorry for digging this up, but I can't replicate your findings on the
IE7 version you claim is vulnerable on your advisory.

Your paper seems to say you only tested this on IE 5.5 and IE6 (no
mention of IE7), so does is that the case, or am I just doing it
wrong?

2008/8/22 ProCheckUp Research <research@xxxxxxxxxxxxxx>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
> filters and also details the trial-and-error procedure that was followed
> to reverse-engineer such filters by analyzing .NET debug errors.
>
> The original version of this paper was released in January 2006 for
> private CPNI distribution. This paper has now been updated in August
> 2008 to include additional materials such as input payloads that bypass
> the latest anti-XSS .NET patches (MS07-40) released in July 2007.
>
> Paper:
>
> http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
>
>
> Advisory:
>
> http://www.procheckup.com/Vulnerability_PR08-20.php
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIrctJoR/Hvsj3i8sRAjEWAJ9DjcWdNiGcEykEphn71QJqzB05OgCeOznJ
> NVERfW1rIgUZyMWaKcMiSn8=
> =lTNm
> -----END PGP SIGNATURE-----
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
  - From: ProCheckUp Research

Prev by Date: [WEB SECURITY] Re: Security thoughts/concerns with Amazon S3?
Next by Date: [WEB SECURITY] SEO Code Injection Paper
Previous by thread: [WEB SECURITY] Security thoughts/concerns with Amazon S3?
Next by thread: Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site