This is a migrated thread and some comments may be shown as answers.

ClientState Input and Buffer Overflow

3 Answers 242 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Jeff
Top achievements
Rank 1
Jeff asked on 21 Sep 2015, 07:26 PM

We have an application that uses RadGrid and one of our clients recently performed a penetration test on our application and identified the hidden input _ClientState as a vulnerability because they were able to trigger a buffer overflow error.

Here is the relevant code from the test where ClientState=AAA repeats ...

ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA 

Is there a way to prevent this from happening? Perhaps some way to set the max length for this hidden input or some other technique that we can utilize to mitigate this vulnerability?

We are using Telerik RadControls for ASP.NET Ajax.

For reference, there is another thread related to this topic (i.e., ClientState hidden field) where my colleague posted a similar question but received no response - http://www.telerik.com/forums/what-is-clientstate-input-hidden-for

3 Answers, 1 is accepted

Sort by
0
Viktor Tachev
Telerik team
answered on 24 Sep 2015, 01:26 PM
Hello Jeff,

As explained in the article you are referring to the controls are tested for possible issues. Currently we are not aware of such security vulnerability.

Could you provide additional information on the problem? Also, elaborate in more detail on how it could be reproduced. Please try to reproduce the issue in one of the online examples linked below and provide the steps for replicating the issue.



Regards,
Viktor Tachev
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Jeff
Top achievements
Rank 1
answered on 24 Sep 2015, 02:44 PM

Hi Victor,

Thanks for the reply. I attached a documents for you to review, but here is an overview of how we exploited the hidden Telerik fields.

We are using FireFox-HttpRequester to send a post request using the hidden HTML input. Most Telerik controls add a “_Clienstate” hidden field along with other content.

The input below doesn’t have a maxLength set, so it's possible to provide a very large input. If you use the Inspect Element tool on the browser, you will see many hidden Telerik fields.

<input id="ctl00_SideBar_LeftNavigation_CategoryControls_ClientState" name="ctl00_SideBar_LeftNavigation_CategoryControls_ClientState" type="hidden" autocomplete="off" value="{"expandedNodes":[],"collapsedNodes":[],"logEntries":[],"selectedNodes":[],"checkedNodes":[],"scrollPosition":0}">

I attached a screen shot demonstrating how we passed values to the hidden input to trigger a buffer overflow using the HTTP Requester Tool.

Those hidden fields should have some kind of validation to validate against max length or strip out extra characters before it sends a request to server. 

ctl00_SideBar_DemoSearch1_SearchBox_ClientState: AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Content-Type: application/json
 
 -- response --
200 OK
Cache-Control:  private
Content-Type:  text/html; charset=utf-8
Content-Encoding:  gzip
Server:  Microsoft-IIS/7.5
X-Powered-By:  UrlRewriter.NET 2.0.0, ASP.NET
X-AspNet-Version:  4.0.30319
Date:  Thu, 24 Sep 2015 13:46:13 GMT
Content-Length:  47646

0
Viktor Tachev
Telerik team
answered on 29 Sep 2015, 07:47 AM
Hi Jeff,

The ClientState hidden field is provided by the framework. Moreover, it is usually used to set settings for the controls. It contains information that is already available on the client. Thus, it does not introduce a security vulnerability. If you would like additional information on keeping the state of the controls you would find the following article interesting.


As for the limit of the request size, you can specify it in the web.config file as described here. As seen in the screenshot you have provided when the limit is reached the server rejects the request and an error is thrown.

Regards,
Viktor Tachev
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
General Discussions
Asked by
Jeff
Top achievements
Rank 1
Answers by
Viktor Tachev
Telerik team
Jeff
Top achievements
Rank 1
Share this question
or