• Blogroll

  • DevelopSec

• Archives

  • March 2024
  • December 2023
  • January 2023
  • August 2022
  • February 2020
  • October 2019
  • May 2019
  • June 2018
  • November 2017
  • June 2017
  • February 2017
  • October 2016
  • September 2016
  • May 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • April 2015
  • October 2014
  • August 2014
  • December 2013
  • November 2013
  • October 2013
  • July 2013
  • May 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • September 2012
  • August 2012
  • July 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • September 2011
  • July 2011
  • June 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • May 2010
  • April 2010
  • February 2010
  • January 2010
  • December 2009
  • October 2009
  • August 2009
  • April 2009
  • March 2009
  • January 2008
  • December 2007
  • October 2007

Bypassing ValidateRequest

Back in August 2009 (https://jardinesoftware.net/2009/08/27/validaterequest-property-xss/) I wrote about the Validate Request functionality and how it doesn’t do a good job of protecting against Cross Site Scripting in an attribute context.  In this post, I am going to explain another technique that can be used to bypass the Validate Request filter in an html element context.  This technique uses a different character encoding to bypass the blacklist checks that are done.

To recap, the Validate Request returns false when the following conditions are met:

• <a-z     -    A < character followed by an alpha character.
• <!, </, <?
• &#

As you can see, the main goal is to trigger an error when the less than (<) character is passed followed by a specific set of characters.  Since it blocks the start character for an HTML element, it makes it difficult to just add new elements to the page.  So how do we get around this?  Using Unicode-Wide characters, we can pass in a character that looks like the &lt; character, but it really isn’t.  That character is represented at the value %uff1c.  If this value is passed to a varchar field in a SQL database, it will get converted to the real &lt; character.  I have not seen this work on a nvarchar field.  If this value is than returned to the browser without proper encoding, cross site scripting is possible.  Lets take a look at how this works from an example.

1. Create an XSS payload for a susceptible field (<script>alert(9);</script>).
2. Change the opening and closing signs to use unicode-wide representation (%uff1cscript%uff1ealert(9);%uff1c/script%uff1e)
3. Submit the data to the server.
4. The data is stored in a varchar field.
5. Retrieve the data without any encoding.
6. Cross Site Scripting ensues with an alert box with the value of 9.

I have only seen persistent cross site scripting work for this.  I have not seen this work in a reflective manor.

This example shows how important output encoding is for remediating cross site scripting vulnerabilities.  Input validation important, but not completely bullet proof.  The only way to make sure the code is safe is during the output routine. 

Comments

• Follow Us

  

  

  

  
  
  
  

• Recent Posts

  • Securing the Forms Authentication Cookie with Secure Flag
  • Does ASP:Textbox TextMode Securely Enforce Input Validation?
  • Disabling SpellCheck on Sensitive Fields
  • What is the difference between encryption and hashing?
  • XmlSecureResolver: XXE in .Net