原文:http://www.quotium.com/research/advisories/XSS-NetRequestValidation.php

.Net Cross Site Scripting - Request Validation Bypassing

.Net的XSS——绕过.net的请求验证机制

Seeker Research Center

By Zamir Paltiel, August 2012

Overview

中心思想

A vulnerability in the .Net Request Validation mechanism allows bypassing the filter and execution of malicious scripts in the browsers of users via Cross Site Scripting attacks.

绕过.Net中的请求验证机制,然后让普通用户无意去执行这种恶意的XSS。

The exploitation technique explained here allows sending tags through the Request Validation Filter in a manner that will pass browser syntax and be rendered by browsers.

这里所介绍的方法就是通过发送tag去绕过请求验证过滤器,最后呈现给用户。

Details

什么原理呢

The .Net Request Validation mechanism prevents attackers from sending tags as the value of the parameters. It is however possible to bypass this mechanism and send arbitrary tags that facilitate script execution.

.Net的请求验证机制会防止用户发送标签比如<script>的参数值,一但发现,会出现错误提示的。但是可以去绕过这个检测机制去发生任意的标签,让script可以顺利地被执行。

This is caused by the fact that although ?tag? is restricted by the Request Validation filter, ?%tag? is not restricted but parsed by Internet Explorer browsers as a valid tag.

Exploit

虽然面对着这个东西,但是我们不能一根筋去想怎么去绕过<tag>。我们得换个思路……最后发现.net对于<%tag>是不会去检测的。然而IE又会把这东西当成是有效的标签。去执行它。

An example of the exploitation of this vulnerability would be crafting a link to a page that reflects a parameter value to the user.As the value of the parameter the attacker would provide a ?%tag? with the style attribute and an expression, for example:

举个例子,怎么样去运用,然后最终呈现出效果。有个param的参数,然后我们把要发送的东西封装成类似于css的XSS。

http://www.vulnerablesite.com/login.aspx?param=?%tag style="xss:expression(alert(123))" ?

This will bypass the filter and execute the script in the brackets.

这样,就绕过了过滤器,并且alert(123)会被执行。

Affected Systems

哪些中枪了?

This vulnerability has been tested on .Net frameworks 2.0 and above.

.net2.0以上的都中枪。

Vendor Response

于是微软说

"The Request Validation Feature in ASP.NET is designed to perform basic input validation. It is not designed to make security decisions for applications developed using ASP.NET. Only the original developers can determine what content the ASP.NET application is designed to process and handle. Microsoft recommends that all software developers perform input/data validation of all sources. We do this to encourage our customers to make more robust applications that are less susceptible to security issues. The Request Validation Feature was designed and released to help developers in this effort. For more information about our recommendations to software developers, please see the following MSDN article: http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidation."

Microsoft therefore will not be releasing a fix for this issue.

这个请求验证本来就帮助做一些检测,不要这么懒去写检测函数啊,虽然我很努力去提高asp.net的安全,但是总是百密一疏嘛,就像啪啪啪做了安全也是有百分之几会中枪的嘛,你不能中枪去怪TT的厂商啊。多做点安全措施嘛,该结扎的去结扎,该不要就不要啦= =,我微软就不去管这问题了,管这么多,医院肿么活。如果你想有更多的了解的话,可以去看看http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_inputdatavalidation.

安全还是得自己做,不能靠太多别人去帮你嘛,要时刻提高安全意识啊。千里之堤,溃于蚁穴!

摘自:http://zone.wooyun.org/content/2573