Telerik Forums / UI for ASP.NET AJAX
This is a migrated thread and some comments may be shown as answers.

Cross Site Scripting Flaw

3 Answers 265 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
RAKESH KHATRI
Top achievements
Rank 1
RAKESH KHATRI asked on 22 Jan 2010, 08:04 PM
I recently had our application scanned by Veracode and every Telerik control used had a XSS flaw where script could be injected in the ClientState of all controls and successfully executed after the control rendered. Am I missing some property to scrub the ClientState or is this a true flaw? Please advise.

Example:
Injected "><script>alert(String.fromCharCode(104,78,108,53,56,82,111,83))</script>  into RadMultiPage1_ClientState and got an alert.
Expected that the injected script would be removed.

3 Answers, 1 is accepted

Sort by
0
Dimitar Milushev
Telerik team
answered on 25 Jan 2010, 03:25 PM
Hello,

Injecting the given value in the RadMultiPage1_ClientState results in server-side error "System.ArgumentException: Invalid JSON primitive" and the resulting page does not contain the injected script. Can you please verify that you are using the latest version of RadControls for ASP.NET AJAX.

Kind regards,
Dimitar Milushev
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
0
Jay
Top achievements
Rank 1
answered on 06 Dec 2016, 12:10 AM

I am having a similar CSS flaw reported by a scanning tool when a RadTextBox is used in a RadAjaxPanel. Basically, if you alter the ctl00_InputName1_InputName1_ClientState (for example) to invalid JSON using javascript (for example) then do a doPostBack, the server responds with something like this HTML:

61|error|500|Invalid JSON primitive:THE STUFF THAT CAUSED THE JSON ERROR

The problem is that the Telerik code on the server is simply echoing the "bad JSON" string back in the HTML (you can see this in Fiddler). This could  script content or other injected content. When the Telerik code on the server notices the JSON parsing error on the _ClientState objects, it should encode or strip the bad characters when it echoes it back to the client. Otherwise pages using RadTextBox can be attacked exploiting the un-encoded response.

 

 

61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script>tw5fo.|
 
61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script
61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script
61|error|500|Invalid JSON primitive: }b4slm<script>alert(1)</script
0
Marin Bratanov
Telerik team
answered on 06 Dec 2016, 02:14 PM

Hello Jay,

This content has not been used to retreieve data on the server or execute other server code, nor is it executed on another client, as far as I understand. The malicious user inputs some content and gets it back with a broken page but does not get any new information. I believe this can be expected, as this user attempted to break the page anyway. The developer should sanitize and validate user input in any case, so a server error before that step will not let this validation pass and such data should not be stored anyway. If it is, then the storage is done too early in the page lifecycle and I would personally consider this a flaw in the application rather in the input control.

If there is a way to actually exploit this scenario, I suggest you open a ticket and send us a sample that showcases this scenario, so we can review and respond appropriately.

Regards,

Marin Bratanov
Telerik by Progress
Telerik UI for ASP.NET AJAX is ready for Visual Studio 2017 RC! Learn more.
Tags
General Discussions
Asked by
RAKESH KHATRI
Top achievements
Rank 1
Answers by
Dimitar Milushev
Telerik team
Jay
Top achievements
Rank 1
Marin Bratanov
Telerik team
Share this question
or