Security Advisory 07-001 – ASP.NET Request Validation Bypass
ASP.NET Request Validation Bypass
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Ferruh Mavituna of Portcullis Computer Security Ltd.
Vulnerable ASP.NET Versions
ASP.NET 2.0.5072 and below
Vulnerable Internet Explorer Versions
Internet Explorer 7.0.5730.11 and below (only tested in IE6 and IE7)
Vulnerable Mono Versions
Mono 1.2.2 and below (tested with XSP)
ASP.NET 1.1 and above has a built in validation request protection against Cross-site Scripting (XSS).
This protection checks all request and throw an error if the request include any potentially dangerous script.
Bypassing ASP.NET Validation Request in IE
Only IE (tested in IE 6 and IE 7 possible others are vulnerable) is vulnerable.
Due to IE wrong handling of tags we can say this is not ASP.NET but an IE vulnerability.
ASP.NET accepts any input with “</” and think “it’s safe” because a valid tag but IE thinks different, a proof of concept that will pass ASP.NET validation and execute in IE is shown below.
Attack is using CSS comments (/**/) to bypass ASP.NET blacklist protection.
Vendor contacted – MS07-040 released.
Copyright © Portcullis Computer Security Limited 2007, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.