Bypass found to Microsoft ASP .NET "ValidateRequest" allowing for Script Injection Attacks
London, UK - 1st September 08
The popular Microsoft .ASP .NET framework included with Windows 2008 and Vista comes with a request validation feature, this feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting).
ProCheckUp has published a paper that introduces script injection payloads that bypass ASP .NET protective web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer the filters.
Websites using the Microsoft .Net framework dominate on Microsoft web servers; pages ending in aspx instead of the older .asp extension identify websites using the .Net framework. In short websites using the .Net framework are very popular, .Net supporting web servers comprise of approximately 30% of the total Internet's web servers.
The ValidateRequest bypass attack works by taking advantage of some HTML Interpretation bugs inherent in IE (Internet Explorer) and understanding how ASP .NET request validation functions, in order to bypass the filters.
In the perspective of ASP .NET, the server cannot be expected to block every attack, as functionality would be sacrificed. In the perspective of IE, the client has unexpected ways of executing scripting code. On their own no issues occur. However taken together, the protective validation filter of .NET - which programmers often incorrectly rely on to protect their applications - is defeated.
The paper allows readers to understand how the ASP .NET ValidateRequest filters work. Thus, allowing execution of malicious scripting code again by coming up with new XSS payloads, which bypass ValidateRequest. The reader is expected to be familiar with XSS attacks, and the same-origin policy that is enforced by web browsers.
ProCheckUp has also found that many web input-filtering filters of other applications from other vendors, also fail in detecting the payloads presented in this paper.
Richard Brain "Many developers lack proper security training and trust that the .Net framework ValidateRequest method will protect their web sites from scripting attacks. Don't be lazy learn how scripting attacks work, and consider all user input evil"
About ProCheckUp
A leading independent specialist security organisation, ProCheckUp was formed in 2000 to provide a unique Artificial Intelligence (AI) based penetration testing service to the corporate market.
Since then the company has enjoyed significant commercial and technological success, and received Royal recognition in April 2004 by winning the prestigious Queen's Award for Enterprise: Innovation, the UK's highest accolade for business performance.
ProCheckUp are service providers to some of the world's leading finance and banking organisations, international law firms and FTSE 100 companies.
About ProCheckNet
ProCheckUp has adopted the methodology of conventional penetration testing and combined it with the functionality of a distributed automated attack system called ProCheckNet.
ProCheckNet automates the complex processes and decision making associated with a manual penetration testing team. It builds customised exploits in an entirely safe manner to achieve a level of testing unrivalled by conventional approaches. Complimented with features such as real time encapsulated exploits, firewall and IDS bypass, ProCheckNet is a revolutionary attack system. Companies that require the highest level of security assurance utilise ProCheckNet to test all their internal and externally facing IT infrastructure including brochure ware, E-commerce websites, RAS, VPN's, Mailservices, DNS and even entirely bespoke applications.
Contact Details
T: 020 7307 5001 E: cdavies@procheckup.com
Authors