Help, XSS Vulnerability!

Topics: ASP.NET 2.0, Business Logic Layer, Controls, Themes
Dec 22, 2010 at 6:18 PM

My hosting company found an XSS (cross site scripting) vulnerability that appears to allow HTML and javascript to be injected into the URL.  They have provided a SAFE example that I have listed the URL below - works best in Firefox and shows up on the page is a series of javascript alerts and iframes.  As far as I know there has been no real exploit of this on my site.  I have found no similar problem in the forums.

 

I have replaced my real domain with MYDOMAIN as to not broadcast my vulnerability to the world - hopefully someone can still recognize the problem.  I would be happy to send someone a screenshot of whats happening:

http://www.MYDOMAIN.com/content/post/WelcomeToWellness.aspx?dnis=">'><IFRAME src="https://www.trustwave.com"></IFRAME>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

 

Please help!  I just want to fix this and am not as concerned as to how or why it's happening.

 

Thanks!

Mike

Dec 22, 2010 at 7:20 PM

Can't get it to run in BE RC 2.0 FF gives me an 404 (page not found)
Btw I can't recognize directory structure as being part of BE 1.6 or BE RC 2.0?

Coordinator
Dec 22, 2010 at 9:54 PM

Is there some connection between what you've brought up and BE ?

As plykkegaard brought up, that URL doesn't appear to be a BE URL.

BE doesn't put any HTML like that in a URL.  Also, usually ASP.NET will throw up an error if it finds HTML like that in the URL.

If you can provide any specifics on how this relates to BE, that would be helpful.

Dec 22, 2010 at 10:25 PM

Yes, there is a connection - the first part of the URL points to an instance of blogengine.net.  Blogengine.net lives in the 'content' folder, http://www.MYDOMAIN.com/content/post/WelcomeToWellness.aspx?dnis= (the dnis value is for campaign tracking).  This first part of the URL works fine and the correct page loads.

What my hosting company is telling me is that there is an XSS vulnerability with this application and gave the list below as an example:

http://www.MYDOMAIN.com/content/post/WelcomeToWellness.aspx?dnis=">'><IFRAME src="https://www.trustwave.com"></IFRAME>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Blogengine.net is not generating the ">'><IFRAME src="https://www.trustwave.com"></IFRAME>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>" part of this link, my hosting company is saying someone can append this code to a link and cause problems.

I believe what they are warning me of is that the blogengine.net application will accept HTML and Javascript injections into the query string and process that code.  When I replace MYDOMAIN with my real domain, their example link does indeed render a page full of iframes and javascript alerts instead of the intended page.

Does this help at all?

Dec 23, 2010 at 5:44 AM

Make sure where you are processing the dnis query string value that you don't just display it in your page. That's what is causing this. There is somewhere in the customized code where you are stating Response.QueryString["dnis"]; and just putting that as the text somewhere else.

When I use this against a vanilla blog engine install I don't get the same symptoms so that would reaffirm my belief that there is something customized that uses the values from Request.QueryString["dnis"];

Check out more information here : http://msdn.microsoft.com/en-us/library/ms998274.aspx

Coordinator
Dec 23, 2010 at 6:00 AM
jwendl wrote:

Check out more information here : http://msdn.microsoft.com/en-us/library/ms998274.aspx

Thanks for the link, nicely written.

Coordinator
Dec 23, 2010 at 8:56 AM

mchagala:  I understand what you mean now.  It's some hacker appending malicious query strings to the end of valid URLs.

As jwendl mentioned, BE isn't processing this type of query string parameter.  It's just ignored.  If BE was taking that value and doing something such as creating a comment with the contents of that query string value, that would be a problem.  But BE doesn't do anything with that value ... it's not looking for any special value there.

I do see a difference though between loading the page in IIS6 vs IIS7.  For example, if you append that value to the URL of a post on my blog (IIS6):

http://allben.net/post/2010/11/24/BlogEngineNET-20-RC-Available-now!.aspx?dnis=">'><IFRAME src="https://www.trustwave.com"></IFRAME>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

... versus, appending it to a post where the server is IIS7 (borrowing one of your URLs Ruslan, should be safe!)

http://rtur.net/blog/post/2010/12/22/Using-BlogEngineNET-20-with-NET-40-framework.aspx?dnis=">'><IFRAME src="https://www.trustwave.com"></IFRAME>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

With IIS7, the page loads instantly.  With IIS6, it goes on for about 30 seconds or more, and finally times out (connection reset at the server).  I'm not actually sure if the reason for this difference is IIS6 vs IIS7, or some other factor.

But if I append a different value (more innocent) to my same IIS6 server post:

http://allben.net/post/2010/11/24/BlogEngineNET-20-RC-Available-now!.aspx?dnis=test

This loads instantly.  So perhaps we could look at rejecting these types of URLs, since it's typically not good that a server is taking 30+ seconds to respond.  I'm not sure offhand what's happening during that 30 seconds.  And I'll have to see if the request is hung up during that 30 second period within BE, or if it's hung up at IIS -- probably it's hung up within BE.

mchagala:  Btw, is your server running IIS6 or IIS7?  And what happens when you access your blog post with that URL ... do you get the long delay like what I see on my blog (allben.net), or does it load quickly?

Dec 23, 2010 at 5:19 PM

Thank you VERY much, this is extremely helpful!  I do not know which IIS it is running - I can find out.  Either way I am not getting any delays, loads quickly.

Dec 23, 2010 at 11:03 PM

Ben: Looks like you're on the right track with IIS6 problem. It's apparently a security thing for IIS6, and not specific to BlogEngine. http://stackoverflow.com/questions/217447/url-encoded-angle-brackets-in-url

 

Dec 28, 2010 at 4:29 PM

Thank you all VERY much for the help!  I will send this information to my hosting company and see what they say - I don't have access to IIS myself.  I will update this thread with the results.