lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 08 Sep 2008 09:07:37 +0100
From: ProCheckUp Research <research@...checkup.com>
To: kuza55 <kuza55@...il.com>
Cc: bugtraq@...urityfocus.com,
	WebAppSec <webappsec@...urityfocus.com>, websecurity@...appsec.org
Subject: Re: [WEB SECURITY] PR08-20: Bypassing ASP .NET "ValidateRequest"
 for Script Injection Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi kuza55,

Are you trying the payload that includes the tilde or the one without?

The one with the tilde (~) only works if the payload returns after an
opening angle bracket (<).

Please see: http://www.procheckup.com/Vulnerability_PR08-20.php

And yes, it also works on IE7. Just tried it on a live environment last
week.

kuza55 wrote:
> Sorry for digging this up, but I can't replicate your findings on the
> IE7 version you claim is vulnerable on your advisory.
> 
> Your paper seems to say you only tested this on IE 5.5 and IE6 (no
> mention of IE7), so does is that the case, or am I just doing it
> wrong?
> 
> 2008/8/22 ProCheckUp Research <research@...checkup.com>:
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
> filters and also details the trial-and-error procedure that was followed
> to reverse-engineer such filters by analyzing .NET debug errors.
> 
> The original version of this paper was released in January 2006 for
> private CPNI distribution. This paper has now been updated in August
> 2008 to include additional materials such as input payloads that bypass
> the latest anti-XSS .NET patches (MS07-40) released in July 2007.
> 
> Paper:
> 
> http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
> 
> 
> Advisory:
> 
> http://www.procheckup.com/Vulnerability_PR08-20.php
>>
-
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
>>
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
>>
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIxN1JoR/Hvsj3i8sRAv14AKCa6DCX9aUmEOMoey8BKxwFTDJHdgCeK6yG
Cs+5wbxgZollx7U0qQYX/F0=
=RU0G
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ