Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Examples of XSS vulnerabilities that get by ASP.NET 4 <%: %> or Razor encoding but are caught by AntiXSS

I'm looking for an example of an XSS vulnerability that would be stopped just by using the AntiXSS Encoder 4.1 Beta as the runtime encoder (setting in system.web/httpRuntime). I would prefer something that doesn't require any explicit calls to AntiXss functions such as

@AntiXss.JavaScriptEncode(ViewBag.UserName)

I'm thinking something that would get by the ASP.NET blacklist but wouldn't make it through the AntiXSS whitelist, maybe something to do with alternate character sets or encoding?

I've tested UTF-7 vulnerabilities, but don't see any that seem to affect modern browsers.

like image 808
Jon Galloway Avatar asked Apr 27 '11 06:04

Jon Galloway


People also ask

What is an example of an XSS attack?

Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.

Is ASP Net vulnerable to XSS?

ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.


2 Answers

There aren't any. Well, that's not entirely true, they aren't any that run on modern browsers.

The reason the SDL requires it is that using a safe list is inherently more secure - so if suddenly someone discovers a character that is problematic it may be already encoded (depending on the safe lists you configure).

like image 89
blowdart Avatar answered Sep 29 '22 00:09

blowdart


hmm... I'm not following - antixss requires explicit calls unless you are talking of using .net 4s feature of specifying your own encoder and in turn calling off to it? In that case there is nothing known at this point that I'm aware of. Since AntiXss works off a whitelist there should be no issues, as everything but a few characters are encoded.

fyi - locally I can get utf-7 to work just fine:

<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
like image 41
Adam Tuliper Avatar answered Sep 29 '22 00:09

Adam Tuliper