Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > non-persistent (reflected) XSS

Reply
Thread Tools

non-persistent (reflected) XSS

 
 
Tony
Guest
Posts: n/a
 
      10-13-2009
Hi,
I've searched high and low looking for information on reflected or
non-persistent cross site scripting. An automated scan shows that my
website is vulnerable to such attacks, but everything I find when
searching just talks about validating inputs, which I do.

The information is appended to the URL, but they're not querystring
elements that I'm processing and I don't know why the stuff is being
embedded into the page.

This is an example of what's appended to the url:
?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>

though it would be encoded thus
?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscrip t%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECT ED%22%29%3C%2FsCriPt%3E=1

The site is running ASP.NET 2 and the server is IIS7

Any help would be greatly appreciated.
Tony
 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      10-14-2009

There must be some code that reads the query string and returns the text as
part of the page. If it isn't in your code directly, it could be a third
party component or module that you might be using.

I'd do some searching in the code to find where the query string is being
accessed though.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
> I've searched high and low looking for information on reflected or
> non-persistent cross site scripting. An automated scan shows that my
> website is vulnerable to such attacks, but everything I find when
> searching just talks about validating inputs, which I do.
>
> The information is appended to the URL, but they're not querystring
> elements that I'm processing and I don't know why the stuff is being
> embedded into the page.
>
> This is an example of what's appended to the url:
> ?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>
>
> though it would be encoded thus
> ?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscrip t%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECT ED%22%29%3C%2FsCriPt%3E=1
>
> The site is running ASP.NET 2 and the server is IIS7
>
> Any help would be greatly appreciated.
> Tony


 
Reply With Quote
 
 
 
 
Tony
Guest
Posts: n/a
 
      10-21-2009
Hi Joe,
Thanks for the response. It seems it was IIS7 that was outputing the
code into the page, for whatever reason I don't know, seems a bit stupid
to me. Anyway the problem has been resolved using UrlScan, which stops
the dodgy request from reaching IIS.

I now know that this isn't a asp.net security problem as such, but I've
posted the update here in case anyone else has a similar problem and
mistakenly thinks asp.net is at fault.

Tony

Joe Kaplan wrote:
> There must be some code that reads the query string and returns the text
> as part of the page. If it isn't in your code directly, it could be a
> third party component or module that you might be using.
>
> I'd do some searching in the code to find where the query string is
> being accessed though.
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      10-21-2009
URLScan is typically a good idea so that's probably a good place for you to
have ended up. It sounds weird that something built in to IIS7 would have
an XSS vulnerability in it, but I guess you never know...

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Joe,
> Thanks for the response. It seems it was IIS7 that was outputing the code
> into the page, for whatever reason I don't know, seems a bit stupid to me.
> Anyway the problem has been resolved using UrlScan, which stops the dodgy
> request from reaching IIS.
>
> I now know that this isn't a asp.net security problem as such, but I've
> posted the update here in case anyone else has a similar problem and
> mistakenly thinks asp.net is at fault.
>
> Tony
>
> Joe Kaplan wrote:
>> There must be some code that reads the query string and returns the text
>> as part of the page. If it isn't in your code directly, it could be a
>> third party component or module that you might be using.
>>
>> I'd do some searching in the code to find where the query string is being
>> accessed though.
>>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How XSS works in Frame? ABCL ASP .Net 2 02-08-2007 12:09 AM
Help with validateRequest (XSS) cummings695 ASP .Net 0 12-14-2006 01:24 PM
Cross-site scripting (XSS) defense johnzenger@gmail.com Python 3 06-16-2006 09:52 PM
XSS Clementine Computer Security 1 06-25-2005 11:58 AM
asp.net XSS protection Aaron ASP .Net 1 04-19-2005 08:54 AM



Advertisments