Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Request.PathInfo issues and XSS attacks

Tags:

c#

asp.net

xss

penetration-testing

webforms

I have a couple of websites running on .NET 3.5 still due to an API restriction. We will eventually move these sites to the latest .NET version this year. One of the penetration tests indicated a possible XSS vulnerability. The URL in question is:

Location: http://www.foobar.com/basket.aspx/scripts/searchresults.aspx

Method: GET

Vulnerable Parameter: name of an arbitrarily supplied URL parameter

Basically, anything after basket.aspx like scripts/searchresults.aspx will cause the issue. From what I can determine, Request.PathInfo will try to find the path and eventually reach searchresults.aspx (if the .aspx page exists) but all my CSS and scripts can't be found due to relative paths. The page essentially breaks. It's unclear how this could cause an XSS vulnerability. Nevertheless, it does break the page.

My question: Is Request.PathInfo needed? In my preliminary tests, if I check Request.PathInfo, I can determine that it may be a bad URL request:

FooBar.Global pageObj = obj;

if (obj.Request.PathInfo.Length > 0)
{
   Response.Redirect("~/sitemap.aspx", true); // bad url send to site map
}
like image 659
PhillyNJ Avatar asked May 26 '26 05:05

PhillyNJ

1 Answers

Is Request.PathInfo needed?

PathInfo isn't required by ASP.NET WebForms. It can be helpful for search engine optimization, but if you don't use it, go ahead and disable it. You can add your code snippet, or you can install UrlScan and set the AllowDotInPath option to 0.

How could this cause an XSS vulnerability?

Your page may be vulnerable to a Relative Path Overwrite (RPO) attack if all these criteria are met:

  1. An attacker can inject content (for example, a blog comment) somewhere into the page.
  2. Your page references a CSS stylesheet via a relative path.
  3. PathInfo is enabled.

By appending PathInfo to the URL, an attacker can cause your page to load itself as the stylesheet because ASP.NET resolves Page.aspx/Master.css to just Page.aspx, not to Master.css. Due to the lax (by design) parsing rules for CSS, the attacker's content may be interpreted as valid CSS, which is especially bad for old versions of Internet Explorer that allow JavaScript in CSS. Even in modern browsers, a malicious stylesheet can inject content that misleads other users.

I want to use PathInfo. How can I mitigate this vulnerability?

Use absolute paths to reference all CSS stylesheets. For example, you can call the ResolveUrl method with an app-relative path (a virtual path starting with ~/):

<link href='<%= this.ResolveUrl("~/App_Themes/MySite/Master.css") %>' rel="stylesheet" type="text/css" />

Caution: Don't use the ResolveClientUrl method because it returns a relative path.

like image 119
Michael Liu Avatar answered May 27 '26 18:05

Michael Liu
Sign in to Comment

Related questions

Java reflection for mono android
C# Async window showing after all code was running
List and array comparison
registering a dll in GAC
Multiple Table Column alignment in iTextsharp
Building zeromq helloworld example with command line mono
Mock IDataRecord using Moq
Overridden Font property in custom usercontrol not displaying in designer file
Switching from SQL Server Express to MySQL
Built in CastOrDefault?
Find all quarters between 2 dates
get ACTUAL date time and not system date time in C#
Dapper passing dynamic param
Alternative for Monitor.TryEnter in NET 3.5
Using INotifyDataErrorInfo with child objects in model which require custom validation
Working with ADO.net and special characters in SQL
How to save a reference of an instance of an object in XML

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!