Vulnerability Discovery and Development:

Portcullis Security Testing Services.

Credit For Discovery:

Ferruh Mavituna Portcullis Computer Security Limited.

Affected Systems:

Vulnerable ASP.NET Versions

ASP.NET 2.0.5072 and below

Vulnerable Internet Explorer Versions

Internet Explorer 7.0.5730.11 and below (only tested in IE6 and IE7)

Vulnerable Mono Versions

Mono 1.2.2 and below (tested with XSP)

Vendor Status:

vendor contacted - MS07-040 released.

Details:

ASP.NET 1.1 and above has a built in validation request protection against Cross-site Scripting (XSS).

This protection checks all request and throw an error if the request include any potentially dangerous script.

Bypassing ASP.NET Validation Request in IE

Only IE (tested in IE 6 and IE 7 possible others are vulnerable) is vulnerable.

Due to IE wrong handling of tags we can say this is not ASP.NET but an IE vulnerability.

ASP.NET accepts any input with "(less than)/" and think "it's safe" because a valid tag but IE thinks different.

(less than)/a style="xss:express/**/ion(alert('XSS'))" (more than)

Is going to pass ASP.NET validation and execute in IE.

Attack is using CSS comments (/**/) to bypass ASP.NET blacklist protection.

Copyright:

Copyright © Portcullis Computer Security Limited 2007, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Ltd.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO Warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.