We have an application that uses RadGrid and one of our clients recently performed a penetration test on our application and identified the hidden input _ClientState as a vulnerability because they were able to trigger a buffer overflow error.
Here is the relevant code from the test where ClientState=AAA repeats ...
ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA
Is there a way to prevent this from happening? Perhaps some way to set the max length for this hidden input or some other technique that we can utilize to mitigate this vulnerability?
We are using Telerik RadControls for ASP.NET Ajax.
For reference, there is another thread related to this topic (i.e., ClientState hidden field) where my colleague posted a similar question but received no response - http://www.telerik.com/forums/what-is-clientstate-input-hidden-for
3 Answers, 1 is accepted
0
Hello ,
As explained in the article you are referring to the controls are tested for possible issues. Currently we are not aware of such security vulnerability.
Could you provide additional information on the problem? Also, elaborate in more detail on how it could be reproduced. Please try to reproduce the issue in one of the online examples linked below and provide the steps for replicating the issue.
Regards,
Viktor Tachev
Telerik
As explained in the article you are referring to the controls are tested for possible issues. Currently we are not aware of such security vulnerability.
Could you provide additional information on the problem? Also, elaborate in more detail on how it could be reproduced. Please try to reproduce the issue in one of the online examples linked below and provide the steps for replicating the issue.
Regards,
Viktor Tachev
Telerik
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Feedback Portal
and vote to affect the priority of the items
0
Jeff
Top achievements
Rank 1
Rank 1
answered on 24 Sep 2015, 02:44 PM
Hi Victor,
Thanks for the reply. I attached a documents for you to review, but here is an overview of how we exploited the hidden Telerik fields.
We are using FireFox-HttpRequester to send a post request using the hidden HTML input. Most Telerik controls add a “_Clienstate” hidden field along with other
content.
The input below doesn’t have a maxLength
set, so it's possible to provide a very large input. If you use the Inspect Element tool on the browser, you will see many hidden Telerik fields.
<input id="ctl00_SideBar_LeftNavigation_CategoryControls_ClientState" name="ctl00_SideBar_LeftNavigation_CategoryControls_ClientState" type="hidden" autocomplete="off" value="{"expandedNodes":[],"collapsedNodes":[],"logEntries":[],"selectedNodes":[],"checkedNodes":[],"scrollPosition":0}">I attached a screen shot demonstrating how we passed values to the hidden input to trigger a buffer overflow using the HTTP Requester Tool.
Those hidden fields should have some kind of validation to validate against max length or strip out extra characters before it sends a request to server.
ctl00_SideBar_DemoSearch1_SearchBox_ClientState: AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAContent-Type: application/json -- response --200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Content-Encoding: gzipServer: Microsoft-IIS/7.5X-Powered-By: UrlRewriter.NET 2.0.0, ASP.NETX-AspNet-Version: 4.0.30319Date: Thu, 24 Sep 2015 13:46:13 GMTContent-Length: 476460
Hi Jeff,
The ClientState hidden field is provided by the framework. Moreover, it is usually used to set settings for the controls. It contains information that is already available on the client. Thus, it does not introduce a security vulnerability. If you would like additional information on keeping the state of the controls you would find the following article interesting.
As for the limit of the request size, you can specify it in the web.config file as described here. As seen in the screenshot you have provided when the limit is reached the server rejects the request and an error is thrown.
Regards,
Viktor Tachev
Telerik
The ClientState hidden field is provided by the framework. Moreover, it is usually used to set settings for the controls. It contains information that is already available on the client. Thus, it does not introduce a security vulnerability. If you would like additional information on keeping the state of the controls you would find the following article interesting.
As for the limit of the request size, you can specify it in the web.config file as described here. As seen in the screenshot you have provided when the limit is reached the server rejects the request and an error is thrown.
Regards,
Viktor Tachev
Telerik
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Feedback Portal
and vote to affect the priority of the items