Examples of XSS vulnerabilities that get by ASP.NET 4 <%: %> or Razor encoding but are caught by AntiXSS

Question

I'm looking for an example of an XSS vulnerability that would be stopped just by using the AntiXSS Encoder 4.1 Beta as the runtime encoder (setting in system.web/httpRuntime). I would prefer something that doesn't require any explicit calls to AntiXss functions such as

@AntiXss.JavaScriptEncode(ViewBag.UserName)

I'm thinking something that would get by the ASP.NET blacklist but wouldn't make it through the AntiXSS whitelist, maybe something to do with alternate character sets or encoding?

I've tested UTF-7 vulnerabilities, but don't see any that seem to affect modern browsers.

Answer 1

There aren't any. Well, that's not entirely true, they aren't any that run on modern browsers.

The reason the SDL requires it is that using a safe list is inherently more secure - so if suddenly someone discovers a character that is problematic it may be already encoded (depending on the safe lists you configure).

Answer 2

hmm... I'm not following - antixss requires explicit calls unless you are talking of using .net 4s feature of specifying your own encoder and in turn calling off to it? In that case there is nothing known at this point that I'm aware of. Since AntiXss works off a whitelist there should be no issues, as everything but a few characters are encoded.

fyi - locally I can get utf-7 to work just fine:

<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-