Web Connection
Querystring security issue
Gravatar is a globally recognized avatar based on your email address. Querystring security issue
  Stein Goering
  All
  Dec 20, 2019 @ 10:24pm

Using the following probe to test for vulnerabilities on this site:

https://mell-base.uce.auburn.edu/wconnect/XPage.awp?Page=policies.htm%3C/title%3E%3Cimg%20src=x%20onerror=alert(%22Injected-script!%22)%3E

...the request is intercepted and immediately generates an error page:

An Error occurred
Unknown application error
A potentially dangerous Request.QueryString value was detected from the client (Page="...licies.htm 

But on this site, running the same app:

https://pace.utep.edu/wconnect/XPage.awp?Page=policies.htm%3C/title%3E%3Cimg%20src=x%20onerror=alert(%22Injected-script!%22)%3E

...it executes the XPage method which has code in place to sanitize the Page parameter, so I get this:

Invalid XPage Request
*** Unsafe Content *** does not exist or is not accessible.

While here, I have a potential security problem as the alert is triggered despite the sanitation action:

https://register.edoutreach.unlv.edu/XPage.awp?Page=policies.htm%3C/title%3E%3Cimg%20src=x%20onerror=alert(%22Injected-script!%22)%3E

Why does the same routine produce different behaviors? And how do I avoid that alert on the UNLV site?

--stein

Gravatar is a globally recognized avatar based on your email address. re: Querystring security issue
  Rick Strahl
  Stein Goering
  Dec 22, 2019 @ 01:37pm

This is based on IIS/ASP.NET Request validation. By default requests that include unsafe characters are not allowed. This includes script tags, angle brackets and path separataors (.\ and ..\ specifically).

The behavior varies for slightly IIS and ASP.NET versions and it can be turned off via the ASP.NET RequestValidation key.

On their own these requests aren't unsafe. It's depending on what you do with the data received that makes it potentially unsafe.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Querystring security issue
  Stein Goering
  Stein Goering
  Dec 25, 2019 @ 11:07pm

Thanks. Now that I think about it, the latter 2 sites are still running under ISAPI. I'll suggest they move to .NET and make sure the RequestValidation key is on...

--stein

© 1996-2020