Security Advisory: Incorrect Handling of Cross Site Scripting Protection in ASP.Net

August 25, 2003

Background

As part of Microsoft's attempts to make it easier for application developers to write secure code, Microsoft has added a new feature, named Request Validation, to the ASP.Net 1.1 framework. This feature provides out of the box protection against cross site scripting and script injection attacks by automatically checking all parameters in the request and ensuring that their content does not include HTML tags.

Scope

WebCohort assessed this new ASP.Net feature in order to determine whether it actually provides protection against cross site scripting and script injection attacks.

Findings

The ASP.Net request validation feature has an implementation flaw which allows an attacker to easily bypass the content restrictions, possibly exposing the application to cross site scripting and script injection attacks.

Details

Our research shows that the feature consists of banning all strings of the form <letter from the content of parameters. Hence the strings "<script>", "<img" and even "<a>"are forbidden while strings like "</script>" are allowed. When the server encounters a forbidden string in the content of a parameter it issues an error message to the client.

As a result, WebCohort's Research Team was able to find a simple way to bypass the filtering mechanism. This is done by placing a NULL character between the less-then mark and the first character of the HTML tag's name. Since this is no longer recognized by the request validation feature as a valid opening tag, it is ignored. However, many browsers, including Microsoft's IE 6.0 disregard NULL characters in their input. Hence when the string in interpreted by the browser it is interpreted as an HTML tag, effectively yielding a cross site scripting (or script injection) opportunity.

Exploit

The exploit is executed by simply adding a URL-encoded null character to the request sent to the server. For instance:

http://foo.bar/search.asp?term=<%00SCRIPT>alert('Vulnerable')</SCRIPT>

Version Tested

  • ASP.Net 1.1
  • Workarounds

Do not rely on this feature for cross site scripting or script injection protection. The only effective method to avoid such attacks is performing HTML encoding within the application code itself

Vendor's Response

WebCohort contacted the Microsoft Security Response Center immediately after discovering the vulnerability. Microsoft has acknowledged the vulnerability, and promised that it will be fixed as part of a general update scheduled for September 3rd, which solves this problem. Microsoft does not intend to publish a specific security patch for this problem. Microsoft hotfix KB-821156

Discovered by WebCohort Technologies on August 20, 2003.

For comments and suggestions please contact adc@imperva.com

Disclaimer

The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.