During a penetration testing of our application, there has been a critical issue that has been identified. This issue is related to the RadScriptManager that is used in some pages. RadScriptManager uses a HIDDENFIELD to do all its Ajax Callbacks which has been identified as a potential Cross Site Scripting issue.
Can someone suggest how do we overcome this issue.
Here is the sample
Attack Request: POST /Test/Pages/SelectSSRSReports.aspx HTTP/1.1
Accept: */*
Accept-Language: en-gb
Referer: https://yahooi.co.uk/Test/Pages/SelectSSRSReports.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: yahooi
Content-Length: 84361
Pragma: no-cache
Memo: 16:Auditor.SendAsyncronousRequest:Attack(CID:(null):AS:2,EID:1354e211-9d7d-4cc1-80e6-
4de3fd128002,ST:AuditAttack,AT:PostSubParamInjection,APD:ctl00_ContentPlaceHolder1_SelectSSRSR
eportsUC_RadScriptManager1_HiddenField,I:
(1,2),R:False,SM:2,SID:6D5FE98086FFBD5B9C4EAC6B578D3355,PSID:805159012103CD6481F7371358
8F96DC)
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=hv3lku55kgc3xrr2dwuhhovm;CustomCookie=cookie46767ZX6C1A0EE8F4EC44189A5FD7BEA43E8944YC48D;
ASPSESSIONIDSQDTCBCS=AINPNDJDB
BHAHLAPMDIOHALB
ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$RadScriptManager1=ctl00$ContentPlaceHolder1
$SelectSSRSReportsUC$ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$treReportsPanel|ctl00
$ContentPlaceHolder1
$SelectSSRSReportsUC$treReports&ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_RadScriptManag
er1_HiddenField=%3b%3bSystem.Web.Extensions%2c%20Version%3d1.0.61025.0%2c%20Culture%
3dneutral%3csCrIpT%3ealert(46781)%3c%2fsCrIpT%3e%2c%20PublicKeyToken%
3d31bf3856ad364e35%3aen-US%3a1f0f78f9-0731-4ae9-b308-56936732ccb8%3aea597d4b%
3ab25378d2%3bTelerik.Web.UI%2c%20Version%3d2009.1.402.20%2c%20Culture%3dneutral%2c%
20PublicKeyToken%3d121fae78165ba3d4%3aen-US%3ab30853f2-6f9f-496e-85c8-cca8f7f2e17c%
3a16e4e7cd%3a86526ba7%3af7645509%3a24ee1bba%3ae330518b%3a1e771326%3ac8618e41%
3aed16cbdc%3ae524c98b%3a58366029%3aaa288e2d%3ae4f8f289&__EVENTTARGET=ctl00%
24ContentPlaceHolder1%24SelectSSRSReportsUC%24treReports&__EVENTARGUMENT=%7b%
22sourceNodesIndices%22%3a%5b%220%3a0%3a0%22%5d%2c%22commandName%22%3a%
22NodeDropOnHtmlElement%22%2c%22htmlElementId%22%3a%
22ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_txtTabularReportURL%22%7d&__VIEWSTATE=%
2FwEPDwUKMTk3MzYyNTQ2NQ9kFgJmD2QWAgIDD2QWBgIBDw8WAh4XRW5hYmxlQWpheFNraW5SZ
W5kZXJpbmdoZGQCAw9kFgICAQ8UKwACFCsAAg8WCh4JQmFja0NvbG9yCTMAmf8eBEZsb3cLKXBUZWx
lcmlrLldlYi5VSS5JdGVtRmxvdywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAwOS4xLjQwMi4yMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0AR4JRm9udF9TaXplKCoi
U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdAVTbWFsbB8AaB4EXyFTQgKICBYCHgVzdHlsZQU
ZYmFja2dyb3VuZC1jb2xvcjojOTkwMDMzOxAWBmYCAQICAgMCBAIFFgYUKwACDxYEHgRUZXh0BRNTRV
RVUCBDT05GSUdVUkFUSU9OHgtOYXZpZ2F0ZVVybAUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZB
QrAAIPFgQfBgUOUkVQT1JUIE1BTkFHRVIfBwUafi9QYWdlcy9SZXBvcnRNYW5hZ2VyLmFzcHhkZBQrAAIP
F2gBQL1fBBghUZ2KVUzFLJ1JVBkylaMXRZUpbdGFUVxk8ZH2VBTRY13%JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
2BL1BhZ2VzL1ByaXZpbGVkZ2VTY3JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
Udfi9QYWdlcy9TZWxlY3RQcmltZVVzZXJzLmFzcHhkZBQrAAIPFgQfBgUQR1JPVVAgTUFOQUdFTUVOVB8H
BR5%
2BL1BhZ2VzL1NlbGVjdFByaW1lR3JvdXBzLmFzcHhkZBQrAAIPFgQfBgURUkVQT1JUIE1BTkFHRU1FTlQfB
wUefi9QYWdlcy9TZWxlY3RTU1JTUmVwb3J0cy5hc3B4ZGQPFgZmZmZmZmYWAQVzVGVsZXJpay5XZWIu
VUkuUmFkTWVudUl0ZW0sIFRlbGVyaWsuV2ViLlVJLCBWZXJzaW9uPTIwMDkuMS40MDIuMjAsIEN1bHR1c
mU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MTIxZmFlNzgxNjViYTNkNGQWDGYPDxYEHwYFE1NFVFVQ
IENPTkZJR1VSQVRJT04fBwUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZAIBDw8WBB8GBQ5SRVBP
UlQgTUFOQUdFUh8HBRp%
2BL1BhZ2VzL1JlcG9ydE1hbmFnZXIuYXNweGRkAgIPDxYEHwYFClBSSVZJTEVHRVMfBwUdfi9QYWdlcy9Q
cml2aWxlZGdlU2NyZWVuLmFzcHhkZAIDDw8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBwUdfi9QYWdlcy9TZ
WxlY3RQcmltZVVzZXJzLmFzcHhkZAIEDw8WBB8GBRBHUk9VUCBNQU5BR0VNRU5UHwcFHn4vUGFnZXM
vU2VsZWN0UHJpbWVHcm91cHMuYXNweGRkAgUPDxYEHwYFEVJFUE9SVCBNQU5BR0VNRU5UHwcFHn4
vUGFnZXMvU2VsZWN0U1NSU1JlcG9ydHMuYXNweGRkAgUPZBYCAgEPZBYIAgMPDxYCHwBoZGQCCQ8U
KwACFCsAAhQrAAIPFgIfAGhkEBYBZhYBFCsAAg8WBh8GBQ1QUklNRSBSZXBvcnRzHglBbGxvd0Ryb3BoH
glBbGxvd0RyYWdoZBAWAmYCARYCFCsAAg8WAh8GBRpOYXRpb25hbCBJbmRpY2F0b3IgUmVwb3J0c2Q
QFjpmAgECAgIDAgQCBQIGAgcCCAIJAgoCCwIMAg0CDgIPAhACEQISAhMCFAIVAhYCFwIYAhkCGgIbAhw
CHQIeAh8CIAIhAiICIwIkAiUCJgInAigCKQIqAisCLAItAi4CLwIwAjECMgIzAjQCNQI2AjcCOAI5FjoUKwACDx
YIH
Attack Response: HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 148
Content-Type: text/html; charset=utf-8
Date: Sat, 10 Oct 2009 14:56:00 GMT
133|error|500|The name 'neutral<sCrIpT>alert(46781)</sCrIpT>' contains characters that are not
valid for a Culture or Region.
Parameter name: name|
5 Answers, 1 is accepted
This issue has been resolved in more recent versions of our product. Please upgrade to the Q2 2009 version (you now seem to be using Q1 2009).
Regards,
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Rank 1
Yes, this is the correct version - it's the current official Q2 2009 release.
Greetings,
Tsvetomir Tsonev
the Telerik team
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Rank 1
This is really URGENT. As per your feedback, we had upgraded the Telerik DLL to ASP.NET AJAX 2009.2 826 and had sent our Application for a second round of penetration testing. It has failed again for the same reason. Would need an urgent feedback as to how we can solve this RadScriptManager HiddenField Issue, since this has been our barrier to release the application.
Are there any other alternatives?
I'm posting this for community reference:
The issue has been resolved in version 2009.2.1024+ thanks to the additional details that you've provided through a support ticket.
Greetings,
Tsvetomir Tsonev
the Telerik team
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Rank 1
Hi,
I am using Telerik 2014 version and getting XSS issue because of RadScriptManager.Can you please assist, what would be the possible fix regarding the same
The value of the
RadScriptManager1_TSM
request parameter is copied into the HTML document as plain text between tags. The payload
xxxxxxxxxxxxxxxxxx
was submitted in the RadScriptManager1_TSM parameter. This input was echoed as
xxxxxxxxxxxxxx
in the application's response.
This behavior demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made toidentify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine theapplication's behavior and attempt to identify any unusual input validation or other obstacles that may be in place.
Please suggest
Amit
Hi Amit,
It is highly recommended to upgrade to the latest version 2022.1.119 since the versions prior 2020.1.114 (R1 2020) are vulnerable to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability. Please see the following kb article on the topic Allows JavaScriptSerializer Deserialization and the blog post Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance.
If you still experience the XSS problem with the latest version, please provide reproduction steps so that we can reproduce it on our side. Thank you!
Rank 1
Hi Rumen,
Thanks for the reply. Considering your advise, I have upgraded the version of Telerik UI to 2022.1.119 but after scan still I got the following issues
1) The value of the RadScriptManager1_TSM request parameter is copied into the HTML document as plain text between tags. The payload }}tfc1u5050<a b234=cxhbmo1w was submitted in the RadScriptManager1_TSM parameter. This input was echoed as tfc1u5050<a b234=cxhbmo1w in the application's response.
This behavior demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behavior and attempt to identify any unusual input validation or other obstacles that may be in place.
2) The value of the ctl00%24cphBase%24CtrlName%24C%24btn_input request parameter is copied into the HTML document as plain text between tags. The payload }}p81111sq1a b=c>phkaa23jz was submitted in the ctl00%24cphBase%24CtrlName%24C%24btn_input parameter. This input was echoed as p81111sq1a b=c>phkaa23jz in the application's response.
The 2nd issue is replicated for numerous controls non hidden/Hidden.
Please suggest, How to resolve these issues?
Amit
Rank 1
Hi Rumen/Telerik Team,
An early reply to my previous query is highly appreciated as this is something blocker to our current release and there is application audit is scheduled at the end of this month.
Amit
Hi Amit,
Straight to the questions:
- The first problem should be fixed in the latest version. Can you please ensure that the Telerik.Web.UI.dll version is indeed the latest one and the update to it was successful? Please right click on the page with the Telerik controls, select View Page Source and search for the following HTML comment tag: <!-- 2022.1.119
Also make sure that there aren't any cached scripts. Press F12, go to the network tab and check the Disable Cache button, then reload the page with Ctrl+F5 and run the scanner ones again.
For your convenience, I have also opened a private support ticket from your account to show you that the problem is already fixed. - The second issue does not seem related to Telerik because, our hidden fields have a different format for the identifiers. We do not use such syntax - btn_input - I also checked it in the source code to confirm it.
Rank 1
Hi Rumen,
Thanks for the reply.
For 1st issue, I have checked that we are having reference of new DLL in View Source HTML example
hf.value += ';;System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=xxxxxxxxx;Telerik.Web.UI, Version=2022.1.119.45,
<!-- 2022.1.119.45 --><div id="RadAjaxManager">
Regarding Caching of results in browser, we are looking into the issue at our end.
For 2nd issue, The control's Html shared with you generated from Telerik. I provide here by the control definition in HTML a long with rendered HTML out of it.
<telerik:RadButton ID="btn" runat="server" Text="Login" OnClick="btn_Click" >
<icon primaryiconurl="Images/xxxxxx.png" primaryiconleft="5px" />
</telerik:RadButton>
value='{"text":"Login","value":"","checked":false,"target":"","navigateUrl":"","commandName":"","commandArgument":"","autoPostBack":true,"selectedToggleStateIndex":0,"validationGroup":null,
"readOnly":false,"primary":false,"enabled":true}' autocomplete="off">
<input name="ctl00$cphBase$winLogin$C$btn" tabindex="-1" class="rbDecorated rbPrimary" id="ctl00_cphBase_winLogin_C_btn_input" type="submit" value="Login">
Please suggest.
Amit
Hi Amit,
Let's continue the investigation in the ticket I opened for you.
With regards to the info provided in point 2: The new information does not reveal anything related to RadButton - the button markup does not match the previous field name either. Please provide reproduction steps in the ticket so that we can reproduce the XSS issue and be able to investigate it further. Thank you!
Rank 1
Hi Rumen,
Let me share the complete detail again for 2nd Point
VS2013 HTML Code
<telerik:RadButton ID="btnOK" runat="server" Text="Login" OnClick="btnOK_Click" >
<icon primaryiconurl="Images/Yes16x16.png" primaryiconleft="5px" />
</telerik:RadButton>
Browser Developer Tool Rendered HTML for the control
<input class="rbDecorated rbPrimary" type="submit" name="ctl00$cphBase$winLogin$C$btnOK" id="ctl00_cphBase_winLogin_C_btnOK_input" value="Login" tabindex="-1">
<input id="ctl00_cphBase_winLogin_C_btnOK_ClientState" name="ctl00_cphBase_winLogin_C_btnOK_ClientState" type="hidden" autocomplete="off">
Extract From Scanned Report
Issue Detail:The value of the ctl00%24cphBase%24winLogin%24C%24btnOK_input request parameter is copied into the HTML document as plain text between tags. The payload }}pn77kppw<a b=c>xzkllc86 was submitted in the ctl00%24cphBase%24winLogin%24C%24btnOK_input parameter. This input was echoed as pn77kppw<a b=c>xzkllc86 in the application's response.
This behavior demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behavior and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically
...[Request SNIP]...
hBase_winLogin_C_txtUserID_ClientState=&ctl00%24cphBase%24winLogin%24C%24txtPassword=xxxxxxx&ctl00_cphBase_winLogin_C_txtPassword_ClientState=&ctl00%24cphBase%24winLogin%24C%24btnOK_input=Login%7d%7dpn77kppw%3ca%20b%3dc%3exzkllc86&ctl00_cphBase_winLogin_C_btnOK_ClientState=&ctl00_cphBase_winLogin_ClientState=
...[Response SNIP]...
<td align="left">
A potentially dangerous Request.Form value was detected from the client (ctl00$cphBase$winLogin$C$btnOK_input="...gin}}pn77kppw<a b=c>xzkllc86").
</td>
...[SNIP]...
let me know if you need anything else from my end. Please advise here.
Amit
Hi Amit,
The provided information shows that the XSS vulnerability is false positive because the server is responding with the error
A potentially dangerous Request.Form value was detected from the client
showing that the ASP.NET framework does not accept the invalid request.