Cross Site Scripting Flaw

4 posts, 0 answers
  1. RAKESH KHATRI
    RAKESH KHATRI avatar
    7 posts
    Member since:
    Jun 2007

    Posted 22 Jan 2010 Link to this post

    I recently had our application scanned by Veracode and every Telerik control used had a XSS flaw where script could be injected in the ClientState of all controls and successfully executed after the control rendered. Am I missing some property to scrub the ClientState or is this a true flaw? Please advise.

    Example:
    Injected "><script>alert(String.fromCharCode(104,78,108,53,56,82,111,83))</script>  into RadMultiPage1_ClientState and got an alert.
    Expected that the injected script would be removed.
  2. Dimitar Milushev
    Admin
    Dimitar Milushev avatar
    555 posts

    Posted 25 Jan 2010 Link to this post

    Hello,

    Injecting the given value in the RadMultiPage1_ClientState results in server-side error "System.ArgumentException: Invalid JSON primitive" and the resulting page does not contain the injected script. Can you please verify that you are using the latest version of RadControls for ASP.NET AJAX.

    Kind regards,
    Dimitar Milushev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  3. Jay
    Jay avatar
    89 posts
    Member since:
    Nov 2007

    Posted 05 Dec 2016 Link to this post

    I am having a similar CSS flaw reported by a scanning tool when a RadTextBox is used in a RadAjaxPanel. Basically, if you alter the ctl00_InputName1_InputName1_ClientState (for example) to invalid JSON using javascript (for example) then do a doPostBack, the server responds with something like this HTML:

    61|error|500|Invalid JSON primitive:THE STUFF THAT CAUSED THE JSON ERROR

    The problem is that the Telerik code on the server is simply echoing the "bad JSON" string back in the HTML (you can see this in Fiddler). This could  script content or other injected content. When the Telerik code on the server notices the JSON parsing error on the _ClientState objects, it should encode or strip the bad characters when it echoes it back to the client. Otherwise pages using RadTextBox can be attacked exploiting the un-encoded response.

     

     

    61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script>tw5fo.|
     
    61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script
    61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script
    61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script
  4. Marin Bratanov
    Admin
    Marin Bratanov avatar
    5063 posts

    Posted 06 Dec 2016 Link to this post

    Hello Jay,

    This content has not been used to retreieve data on the server or execute other server code, nor is it executed on another client, as far as I understand. The malicious user inputs some content and gets it back with a broken page but does not get any new information. I believe this can be expected, as this user attempted to break the page anyway. The developer should sanitize and validate user input in any case, so a server error before that step will not let this validation pass and such data should not be stored anyway. If it is, then the storage is done too early in the page lifecycle and I would personally consider this a flaw in the application rather in the input control.

    If there is a way to actually exploit this scenario, I suggest you open a ticket and send us a sample that showcases this scenario, so we can review and respond appropriately.

    Regards,

    Marin Bratanov
    Telerik by Progress
    Telerik UI for ASP.NET AJAX is ready for Visual Studio 2017 RC! Learn more.
Back to Top