«

Hi,
I've searched high and low looking for information on reflected or
non-persistent cross site scripting. An automated scan shows that my
website is vulnerable to such attacks, but everything I find when
searching just talks about validating inputs, which I do.

The information is appended to the URL, but they're not querystring
elements that I'm processing and I don't know why the stuff is being
embedded into the page.

This is an example of what's appended to the url:
?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>

though it would be encoded thus
?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscrip t%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECT ED%22%29%3C%2FsCriPt%3E=1

The site is running ASP.NET 2 and the server is IIS7

Any help would be greatly appreciated.
Tony

There must be some code that reads the query string and returns the text as
part of the page. If it isn't in your code directly, it could be a third
party component or module that you might be using.

I'd do some searching in the code to find where the query string is being
accessed though.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony" <> wrote in message
news:...
> Hi,
> I've searched high and low looking for information on reflected or
> non-persistent cross site scripting. An automated scan shows that my
> website is vulnerable to such attacks, but everything I find when
> searching just talks about validating inputs, which I do.
>
> The information is appended to the URL, but they're not querystring
> elements that I'm processing and I don't know why the stuff is being
> embedded into the page.
>
> This is an example of what's appended to the url:
> ?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>
>
> though it would be encoded thus
> ?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscrip t%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECT ED%22%29%3C%2FsCriPt%3E=1
>
> The site is running ASP.NET 2 and the server is IIS7
>
> Any help would be greatly appreciated.
> Tony

Hi Joe,
Thanks for the response. It seems it was IIS7 that was outputing the
code into the page, for whatever reason I don't know, seems a bit stupid
to me. Anyway the problem has been resolved using UrlScan, which stops
the dodgy request from reaching IIS.

I now know that this isn't a asp.net security problem as such, but I've
posted the update here in case anyone else has a similar problem and
mistakenly thinks asp.net is at fault.

Tony

Joe Kaplan wrote:
> There must be some code that reads the query string and returns the text
> as part of the page. If it isn't in your code directly, it could be a
> third party component or module that you might be using.
>
> I'd do some searching in the code to find where the query string is
> being accessed though.
>

URLScan is typically a good idea so that's probably a good place for you to
have ended up. It sounds weird that something built in to IIS7 would have
an XSS vulnerability in it, but I guess you never know...

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony" <> wrote in message
news:...
> Hi Joe,
> Thanks for the response. It seems it was IIS7 that was outputing the code
> into the page, for whatever reason I don't know, seems a bit stupid to me.
> Anyway the problem has been resolved using UrlScan, which stops the dodgy
> request from reaching IIS.
>
> I now know that this isn't a asp.net security problem as such, but I've
> posted the update here in case anyone else has a similar problem and
> mistakenly thinks asp.net is at fault.
>
> Tony
>
> Joe Kaplan wrote:
>> There must be some code that reads the query string and returns the text
>> as part of the page. If it isn't in your code directly, it could be a
>> third party component or module that you might be using.
>>
>> I'd do some searching in the code to find where the query string is being
>> accessed though.
>>