[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHL5aA14tRVOUhrMxiKe1Mp1-=+Zqi=r=R8DTB2FV9=m+zGDJQ@mail.gmail.com>
Date: Mon, 1 Dec 2014 11:43:48 +0100
From: A Z <kryptos.gnostikos@...il.com>
To: James Hooker <seidrhrafn@...glemail.com>, marksteward@...il.com
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message
Thank you all for the replies,
Unfortunately, I can no longer really test this (it was on some internal
network, so for example link shortening wouldn't work), but I wanted to
know if anyone had encountered this stuff before. I should try on a clean
install as suggested - if it works I'll let you know.
For some unknown reason there was no HTML encoding in this error response,
however the payload was truncated to 20 chars. I googled it and all I found
was some discussion about the validateRequest attribute in web.config,
however I didn't have the configuration of the server to check this.
This was also part of some commercial app that uses IIS, but I think it's
more related to IIS itself.
Thanks all
On Sat, Nov 29, 2014 at 7:37 AM, James Hooker <seidrhrafn@...glemail.com>
wrote:
> You could skip the schema on any includes, and just use '//'. That will
> then use the schema provided in the original URL. That will save you 4
> characters at least. You can also skip most quotes in tags - that will save
> you a few more characters. Link shortening services might also be of use,
> however one that generates links short enough might be hard to come by -
> more likely, you'll need a 3 character domain, with a 2 character extension
> (such as UK, or IN).
>
> You might be able a squeeze a script tag into that saved space.. *might*
> Hello everyone,
>
>
> I found some weird HTML code injection in an IIS error message. IIS spits
> out some part of the user input that generated the error message, but will
> only display 20 characters at most.
> My question is: is it possible to actually exploit an XSS with this ?
>
> Here is an example:
>
> HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
> HTTP Response (real):
>
> <p>An error has occured.</p>
> <p>Exception HttpRequestValidationException occurred while attempting
> <b>mypage</b></p>
> <p>Exception message is: <b>A potentially dangerous Request.QueryString
> value was detected from the client (search="<b
> onclick=alert(1)>...").</b></p>
> <p>Stack trace:</p>
> <pre>
> Server stack trace:
> [..]
>
> My payload was: <b onclick=alert(1)>> and it works (after clicking).
> However, can this actually be exploited in real life ? I tried stuff in 20
> characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
> Has anyone ever tried this before ?
>
> Thanks,
>
> P.S. This might be a silly question with an obvious answer. If so, I'd be
> grateful to have some extra information (links, docs etc.).
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists