lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Dec 2014 11:43:48 +0100
From: A Z <>
To: James Hooker <>,
Subject: Re: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message

Thank you all for the replies,

Unfortunately, I can no longer really test this (it was on some internal
network, so for example link shortening wouldn't work), but I wanted to
know if anyone had encountered this stuff before. I should try on a clean
install as suggested - if it works I'll let you know.

For some unknown reason there was no HTML encoding in this error response,
however the payload was truncated to 20 chars. I googled it and all I found
was some discussion about the validateRequest attribute in web.config,
however I didn't have the configuration of the server to check this.

This was also part of some commercial app that uses IIS, but I think it's
more related to IIS itself.

Thanks all

On Sat, Nov 29, 2014 at 7:37 AM, James Hooker <>

> You could skip the schema on any includes, and just use '//'. That will
> then use the schema provided in the original URL. That will save you 4
> characters at least. You can also skip most quotes in tags - that will save
> you a few more characters. Link shortening services might also be of use,
> however one that generates links short enough might be hard to come by -
> more likely, you'll need a 3 character domain, with a 2 character extension
> (such as UK, or IN).
> You might be able a squeeze a script tag into that saved space.. *might*
> Hello everyone,
> I found some weird HTML code injection in an IIS error message. IIS spits
> out some part of the user input that generated the error message, but will
> only display 20 characters at most.
> My question is: is it possible to actually exploit an XSS with this ?
> Here is an example:
> HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
> HTTP Response (real):
> <p>An error has occured.</p>
>     <p>Exception HttpRequestValidationException occurred while attempting
> <b>mypage</b></p>
>     <p>Exception message is: <b>A potentially dangerous Request.QueryString
> value was detected from the client (search="<b
> onclick=alert(1)>...").</b></p>
>     <p>Stack trace:</p>
>     <pre>
> Server stack trace:
> [..]
> My payload was: <b onclick=alert(1)>> and it works (after clicking).
> However, can this actually be exploited in real life ? I tried stuff in 20
> characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
> Has anyone ever tried this before ?
> Thanks,
> P.S. This might be a silly question with an obvious answer. If so, I'd be
> grateful to have some extra information (links, docs etc.).
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists