PDA

View Full Version : [CLOSED] FormPanel Url XSS



vzx
Jun 18, 2013, 8:02 AM
Hi,

If you call page below with this querystring "?_dc=javascript:alert(1);", xss is not being filtered and it can be seen in output (url:"/test.aspx?_dc=javascript:alert(1);").

Is there a way to filter it?



<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<!DOCTYPE html>
<html>
<head id="Head1" runat="server">
<title>Ext.NET XSS</title>
</head>
<body>
<form id="Form1" runat="server">
<ext:ResourceManager ID="ResourceManager1" runat="server">
</ext:ResourceManager>
<ext:FormPanel runat="server">
<Items>
</Items>
</ext:FormPanel>
</form>
</body>
</html>


Thanks,
Vzx

Daniil
Jun 18, 2013, 1:41 PM
Hi @vzx,


it can be seen in output (url:"/test.aspx?_dc=javascript:alert(1);").


In output? Do you mean the page sources? Could you demonstrate where exactly you see it?

vzx
Jun 18, 2013, 2:01 PM
Hi @vzx,

In output? Do you mean the page sources? Could you demonstrate where exactly you see it?

Yes Daniil, in page sources. IE gives a warning also like below and modifies output.

"Internet Explorer has modified this page to help prevent cross-site scripting."

Daniil
Jun 18, 2013, 3:59 PM
So, are you seeing it here?

<form method="post" action="Work2.aspx?_dc=javascript%3aalert(1)%3b" id="Form1">

And would you like to eliminate a query string from that "action" URL?

Daniil
Jun 19, 2013, 2:29 PM
Could you also clarify what the exact steps to reproduce an XSS warning using your test case? What is IE version?

vzx
Jun 19, 2013, 2:51 PM
Could you also clarify what the exact steps to reproduce an XSS warning using your test case? What is IE version?

Just call the page with this querystring like "test.aspx?_dc=javascript:alert(1);"

I am testing it with IE10. You can find warning's picture attached.

PS: IE is changing formpanel's url in response as;

url:"/LifeIn/test.aspx?_dc=javasc#ipt:alert(1);"

Vladimir
Jun 19, 2013, 3:09 PM
What a reason to use such query string? Is it for testing only?
It is not XSS, XSS when an attacker has posibility to execite script in the browser of another user. In this case, there is no script execution because url is rendered as string constant. So, that warning is just IE10 mistake

In any way, we will encode url for FormPanel

Vladimir
Jun 19, 2013, 3:46 PM
Fixed in SVN, now url is encoded

vzx
Jun 19, 2013, 3:54 PM
Fixed in SVN, now url is encoded

It had come to me as a security issue.

Thank you all.

Vzx

Daniil
Jun 19, 2013, 6:23 PM
It had come to me as a security issue.

Could you, please, clarify what exactly is the threat of this issue? Just curious.

vzx
Jun 27, 2013, 8:12 AM
Hi,

I was waiting reply from security testers. Reply is just posted.

They are convinced that is not a security issue. If this change is also unnecessary for you, you can undo your changes. Sorry about that.

Thanks,
Vzx

Daniil
Jun 27, 2013, 4:44 PM
Thank you for the feedback.

We decided to leave the change.