lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPyX2negdfGY+VtmEgp-noswdevHUR-YimTW7ju+85xXjk+Lng@mail.gmail.com> Date: Sat, 29 Nov 2014 02:44:34 +0000 From: Mark Steward <marksteward@...il.com> To: A Z <kryptos.gnostikos@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message I've spotted this before and ignored it because it's all HTML-escaped. You can actually put as much as you like before the equals, presumably including script tags. You can also include enough after the equals to write something like "<iframe src=//xy.co>". Where are you seeing it unescaped? Is it some third-party handler? Try on a clean install with just an empty .aspx and a web.config with an empty configuration element. Mark On 29 Nov 2014 01:51, "A Z" <kryptos.gnostikos@...il.com> wrote: > Hello everyone, > > > I found some weird HTML code injection in an IIS error message. IIS spits > out some part of the user input that generated the error message, but will > only display 20 characters at most. > My question is: is it possible to actually exploit an XSS with this ? > > Here is an example: > > HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e > HTTP Response (real): > > <p>An error has occured.</p> > <p>Exception HttpRequestValidationException occurred while attempting > <b>mypage</b></p> > <p>Exception message is: <b>A potentially dangerous Request.QueryString > value was detected from the client (search="<b > onclick=alert(1)>...").</b></p> > <p>Stack trace:</p> > <pre> > Server stack trace: > [..] > > My payload was: <b onclick=alert(1)>> and it works (after clicking). > However, can this actually be exploited in real life ? I tried stuff in 20 > characters like: <embed src=http://x> or <img src=http://x/z> but no luck. > Has anyone ever tried this before ? > > Thanks, > > P.S. This might be a silly question with an obvious answer. If so, I'd be > grateful to have some extra information (links, docs etc.). > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists