[CLOSED] FormPanel Url XSS

[vzx]

Hi,

If you call page below with this querystring "?_dc=javascript:alert(1);", xss is not being filtered and it can be seen in output (url:"/test.aspx?_dc=javascript:alert(1);").

Is there a way to filter it?

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<!DOCTYPE html>
<html>
<head id="Head1" runat="server">
    <title>Ext.NET XSS</title>
</head>
<body>
    <form id="Form1" runat="server">
        <ext:ResourceManager ID="ResourceManager1" runat="server">
        </ext:ResourceManager>
        <ext:FormPanel runat="server">
            <Items>
            </Items>
        </ext:FormPanel>
    </form>
</body>
</html>

Thanks,
Vzx

[Daniil]

Hi @vzx,

it can be seen in output (url:"/test.aspx?_dc=javascript:alert(1);").

In output? Do you mean the page sources? Could you demonstrate where exactly you see it?

[vzx]

Hi @vzx,

In output? Do you mean the page sources? Could you demonstrate where exactly you see it?

Yes Daniil, in page sources. IE gives a warning also like below and modifies output.

"Internet Explorer has modified this page to help prevent cross-site scripting."

[Daniil]

So, are you seeing it here?

<form method="post" action="Work2.aspx?_dc=javascript%3aalert(1)%3b" id="Form1">

And would you like to eliminate a query string from that "action" URL?

[Daniil]

Could you also clarify what the exact steps to reproduce an XSS warning using your test case? What is IE version?

[vzx]

Could you also clarify what the exact steps to reproduce an XSS warning using your test case? What is IE version?

Just call the page with this querystring like "test.aspx?_dc=javascript:alert(1);"

I am testing it with IE10. You can find warning's picture attached.

PS: IE is changing formpanel's url in response as;

url:"/LifeIn/test.aspx?_dc=javasc#ipt:alert(1);"

[Vladimir]

What a reason to use such query string? Is it for testing only?
It is not XSS, XSS when an attacker has posibility to execite script in the browser of another user. In this case, there is no script execution because url is rendered as string constant. So, that warning is just IE10 mistake

In any way, we will encode url for FormPanel

[Vladimir]

Fixed in SVN, now url is encoded

[vzx]

Fixed in SVN, now url is encoded

It had come to me as a security issue.

Thank you all.

Vzx

[Daniil]

It had come to me as a security issue.

Could you, please, clarify what exactly is the threat of this issue? Just curious.