lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Nov 2014 02:44:34 +0000
From: Mark Steward <>
To: A Z <>
Subject: Re: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message

I've spotted this before and ignored it because it's all HTML-escaped. You
can actually put as much as you like before the equals, presumably
including script tags. You can also include enough after the equals to
write something like "<iframe src=//>".

Where are you seeing it unescaped? Is it some third-party handler? Try on a
clean install with just an empty .aspx and a web.config with an empty
configuration element.

On 29 Nov 2014 01:51, "A Z" <> wrote:

> Hello everyone,
> I found some weird HTML code injection in an IIS error message. IIS spits
> out some part of the user input that generated the error message, but will
> only display 20 characters at most.
> My question is: is it possible to actually exploit an XSS with this ?
> Here is an example:
> HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
> HTTP Response (real):
> <p>An error has occured.</p>
>     <p>Exception HttpRequestValidationException occurred while attempting
> <b>mypage</b></p>
>     <p>Exception message is: <b>A potentially dangerous Request.QueryString
> value was detected from the client (search="<b
> onclick=alert(1)>...").</b></p>
>     <p>Stack trace:</p>
>     <pre>
> Server stack trace:
> [..]
> My payload was: <b onclick=alert(1)>> and it works (after clicking).
> However, can this actually be exploited in real life ? I tried stuff in 20
> characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
> Has anyone ever tried this before ?
> Thanks,
> P.S. This might be a silly question with an obvious answer. If so, I'd be
> grateful to have some extra information (links, docs etc.).
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists