Hi,
During a penetration testing of our application, there has been a critical issue that has been identified. This issue is related to the RadScriptManager that is used in some pages. RadScriptManager uses a HIDDENFIELD to do all its Ajax Callbacks which has been identified as a potential Cross Site Scripting issue.
Can someone suggest how do we overcome this issue.
Here is the sample
Attack Request: POST /Test/Pages/SelectSSRSReports.aspx HTTP/1.1
Accept: */*
Accept-Language: en-gb
Referer: https://yahooi.co.uk/Test/Pages/SelectSSRSReports.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: yahooi
Content-Length: 84361
Pragma: no-cache
Memo: 16:Auditor.SendAsyncronousRequest:Attack(CID:(null):AS:2,EID:1354e211-9d7d-4cc1-80e6-
4de3fd128002,ST:AuditAttack,AT:PostSubParamInjection,APD:ctl00_ContentPlaceHolder1_SelectSSRSR
eportsUC_RadScriptManager1_HiddenField,I:
(1,2),R:False,SM:2,SID:6D5FE98086FFBD5B9C4EAC6B578D3355,PSID:805159012103CD6481F7371358
8F96DC)
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=hv3lku55kgc3xrr2dwuhhovm;CustomCookie=cookie46767ZX6C1A0EE8F4EC44189A5FD7BEA43E8944YC48D;
ASPSESSIONIDSQDTCBCS=AINPNDJDB
BHAHLAPMDIOHALB
ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$RadScriptManager1=ctl00$ContentPlaceHolder1
$SelectSSRSReportsUC$ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$treReportsPanel|ctl00
$ContentPlaceHolder1
$SelectSSRSReportsUC$treReports&ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_RadScriptManag
er1_HiddenField=%3b%3bSystem.Web.Extensions%2c%20Version%3d1.0.61025.0%2c%20Culture%
3dneutral%3csCrIpT%3ealert(46781)%3c%2fsCrIpT%3e%2c%20PublicKeyToken%
3d31bf3856ad364e35%3aen-US%3a1f0f78f9-0731-4ae9-b308-56936732ccb8%3aea597d4b%
3ab25378d2%3bTelerik.Web.UI%2c%20Version%3d2009.1.402.20%2c%20Culture%3dneutral%2c%
20PublicKeyToken%3d121fae78165ba3d4%3aen-US%3ab30853f2-6f9f-496e-85c8-cca8f7f2e17c%
3a16e4e7cd%3a86526ba7%3af7645509%3a24ee1bba%3ae330518b%3a1e771326%3ac8618e41%
3aed16cbdc%3ae524c98b%3a58366029%3aaa288e2d%3ae4f8f289&__EVENTTARGET=ctl00%
24ContentPlaceHolder1%24SelectSSRSReportsUC%24treReports&__EVENTARGUMENT=%7b%
22sourceNodesIndices%22%3a%5b%220%3a0%3a0%22%5d%2c%22commandName%22%3a%
22NodeDropOnHtmlElement%22%2c%22htmlElementId%22%3a%
22ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_txtTabularReportURL%22%7d&__VIEWSTATE=%
2FwEPDwUKMTk3MzYyNTQ2NQ9kFgJmD2QWAgIDD2QWBgIBDw8WAh4XRW5hYmxlQWpheFNraW5SZ
W5kZXJpbmdoZGQCAw9kFgICAQ8UKwACFCsAAg8WCh4JQmFja0NvbG9yCTMAmf8eBEZsb3cLKXBUZWx
lcmlrLldlYi5VSS5JdGVtRmxvdywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAwOS4xLjQwMi4yMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0AR4JRm9udF9TaXplKCoi
U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdAVTbWFsbB8AaB4EXyFTQgKICBYCHgVzdHlsZQU
ZYmFja2dyb3VuZC1jb2xvcjojOTkwMDMzOxAWBmYCAQICAgMCBAIFFgYUKwACDxYEHgRUZXh0BRNTRV
RVUCBDT05GSUdVUkFUSU9OHgtOYXZpZ2F0ZVVybAUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZB
QrAAIPFgQfBgUOUkVQT1JUIE1BTkFHRVIfBwUafi9QYWdlcy9SZXBvcnRNYW5hZ2VyLmFzcHhkZBQrAAIP
F2gBQL1fBBghUZ2KVUzFLJ1JVBkylaMXRZUpbdGFUVxk8ZH2VBTRY13%JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
2BL1BhZ2VzL1ByaXZpbGVkZ2VTY3JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
Udfi9QYWdlcy9TZWxlY3RQcmltZVVzZXJzLmFzcHhkZBQrAAIPFgQfBgUQR1JPVVAgTUFOQUdFTUVOVB8H
BR5%
2BL1BhZ2VzL1NlbGVjdFByaW1lR3JvdXBzLmFzcHhkZBQrAAIPFgQfBgURUkVQT1JUIE1BTkFHRU1FTlQfB
wUefi9QYWdlcy9TZWxlY3RTU1JTUmVwb3J0cy5hc3B4ZGQPFgZmZmZmZmYWAQVzVGVsZXJpay5XZWIu
VUkuUmFkTWVudUl0ZW0sIFRlbGVyaWsuV2ViLlVJLCBWZXJzaW9uPTIwMDkuMS40MDIuMjAsIEN1bHR1c
mU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MTIxZmFlNzgxNjViYTNkNGQWDGYPDxYEHwYFE1NFVFVQ
IENPTkZJR1VSQVRJT04fBwUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZAIBDw8WBB8GBQ5SRVBP
UlQgTUFOQUdFUh8HBRp%
2BL1BhZ2VzL1JlcG9ydE1hbmFnZXIuYXNweGRkAgIPDxYEHwYFClBSSVZJTEVHRVMfBwUdfi9QYWdlcy9Q
cml2aWxlZGdlU2NyZWVuLmFzcHhkZAIDDw8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBwUdfi9QYWdlcy9TZ
WxlY3RQcmltZVVzZXJzLmFzcHhkZAIEDw8WBB8GBRBHUk9VUCBNQU5BR0VNRU5UHwcFHn4vUGFnZXM
vU2VsZWN0UHJpbWVHcm91cHMuYXNweGRkAgUPDxYEHwYFEVJFUE9SVCBNQU5BR0VNRU5UHwcFHn4
vUGFnZXMvU2VsZWN0U1NSU1JlcG9ydHMuYXNweGRkAgUPZBYCAgEPZBYIAgMPDxYCHwBoZGQCCQ8U
KwACFCsAAhQrAAIPFgIfAGhkEBYBZhYBFCsAAg8WBh8GBQ1QUklNRSBSZXBvcnRzHglBbGxvd0Ryb3BoH
glBbGxvd0RyYWdoZBAWAmYCARYCFCsAAg8WAh8GBRpOYXRpb25hbCBJbmRpY2F0b3IgUmVwb3J0c2Q
QFjpmAgECAgIDAgQCBQIGAgcCCAIJAgoCCwIMAg0CDgIPAhACEQISAhMCFAIVAhYCFwIYAhkCGgIbAhw
CHQIeAh8CIAIhAiICIwIkAiUCJgInAigCKQIqAisCLAItAi4CLwIwAjECMgIzAjQCNQI2AjcCOAI5FjoUKwACDx
YIH
Attack Response: HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 148
Content-Type: text/html; charset=utf-8
Date: Sat, 10 Oct 2009 14:56:00 GMT
133|error|500|The name 'neutral<sCrIpT>alert(46781)</sCrIpT>' contains characters that are not
valid for a Culture or Region.
Parameter name: name|
During a penetration testing of our application, there has been a critical issue that has been identified. This issue is related to the RadScriptManager that is used in some pages. RadScriptManager uses a HIDDENFIELD to do all its Ajax Callbacks which has been identified as a potential Cross Site Scripting issue.
Can someone suggest how do we overcome this issue.
Here is the sample
Attack Request: POST /Test/Pages/SelectSSRSReports.aspx HTTP/1.1
Accept: */*
Accept-Language: en-gb
Referer: https://yahooi.co.uk/Test/Pages/SelectSSRSReports.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: yahooi
Content-Length: 84361
Pragma: no-cache
Memo: 16:Auditor.SendAsyncronousRequest:Attack(CID:(null):AS:2,EID:1354e211-9d7d-4cc1-80e6-
4de3fd128002,ST:AuditAttack,AT:PostSubParamInjection,APD:ctl00_ContentPlaceHolder1_SelectSSRSR
eportsUC_RadScriptManager1_HiddenField,I:
(1,2),R:False,SM:2,SID:6D5FE98086FFBD5B9C4EAC6B578D3355,PSID:805159012103CD6481F7371358
8F96DC)
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=hv3lku55kgc3xrr2dwuhhovm;CustomCookie=cookie46767ZX6C1A0EE8F4EC44189A5FD7BEA43E8944YC48D;
ASPSESSIONIDSQDTCBCS=AINPNDJDB
BHAHLAPMDIOHALB
ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$RadScriptManager1=ctl00$ContentPlaceHolder1
$SelectSSRSReportsUC$ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$treReportsPanel|ctl00
$ContentPlaceHolder1
$SelectSSRSReportsUC$treReports&ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_RadScriptManag
er1_HiddenField=%3b%3bSystem.Web.Extensions%2c%20Version%3d1.0.61025.0%2c%20Culture%
3dneutral%3csCrIpT%3ealert(46781)%3c%2fsCrIpT%3e%2c%20PublicKeyToken%
3d31bf3856ad364e35%3aen-US%3a1f0f78f9-0731-4ae9-b308-56936732ccb8%3aea597d4b%
3ab25378d2%3bTelerik.Web.UI%2c%20Version%3d2009.1.402.20%2c%20Culture%3dneutral%2c%
20PublicKeyToken%3d121fae78165ba3d4%3aen-US%3ab30853f2-6f9f-496e-85c8-cca8f7f2e17c%
3a16e4e7cd%3a86526ba7%3af7645509%3a24ee1bba%3ae330518b%3a1e771326%3ac8618e41%
3aed16cbdc%3ae524c98b%3a58366029%3aaa288e2d%3ae4f8f289&__EVENTTARGET=ctl00%
24ContentPlaceHolder1%24SelectSSRSReportsUC%24treReports&__EVENTARGUMENT=%7b%
22sourceNodesIndices%22%3a%5b%220%3a0%3a0%22%5d%2c%22commandName%22%3a%
22NodeDropOnHtmlElement%22%2c%22htmlElementId%22%3a%
22ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_txtTabularReportURL%22%7d&__VIEWSTATE=%
2FwEPDwUKMTk3MzYyNTQ2NQ9kFgJmD2QWAgIDD2QWBgIBDw8WAh4XRW5hYmxlQWpheFNraW5SZ
W5kZXJpbmdoZGQCAw9kFgICAQ8UKwACFCsAAg8WCh4JQmFja0NvbG9yCTMAmf8eBEZsb3cLKXBUZWx
lcmlrLldlYi5VSS5JdGVtRmxvdywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAwOS4xLjQwMi4yMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0AR4JRm9udF9TaXplKCoi
U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdAVTbWFsbB8AaB4EXyFTQgKICBYCHgVzdHlsZQU
ZYmFja2dyb3VuZC1jb2xvcjojOTkwMDMzOxAWBmYCAQICAgMCBAIFFgYUKwACDxYEHgRUZXh0BRNTRV
RVUCBDT05GSUdVUkFUSU9OHgtOYXZpZ2F0ZVVybAUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZB
QrAAIPFgQfBgUOUkVQT1JUIE1BTkFHRVIfBwUafi9QYWdlcy9SZXBvcnRNYW5hZ2VyLmFzcHhkZBQrAAIP
F2gBQL1fBBghUZ2KVUzFLJ1JVBkylaMXRZUpbdGFUVxk8ZH2VBTRY13%JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
2BL1BhZ2VzL1ByaXZpbGVkZ2VTY3JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
Udfi9QYWdlcy9TZWxlY3RQcmltZVVzZXJzLmFzcHhkZBQrAAIPFgQfBgUQR1JPVVAgTUFOQUdFTUVOVB8H
BR5%
2BL1BhZ2VzL1NlbGVjdFByaW1lR3JvdXBzLmFzcHhkZBQrAAIPFgQfBgURUkVQT1JUIE1BTkFHRU1FTlQfB
wUefi9QYWdlcy9TZWxlY3RTU1JTUmVwb3J0cy5hc3B4ZGQPFgZmZmZmZmYWAQVzVGVsZXJpay5XZWIu
VUkuUmFkTWVudUl0ZW0sIFRlbGVyaWsuV2ViLlVJLCBWZXJzaW9uPTIwMDkuMS40MDIuMjAsIEN1bHR1c
mU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MTIxZmFlNzgxNjViYTNkNGQWDGYPDxYEHwYFE1NFVFVQ
IENPTkZJR1VSQVRJT04fBwUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZAIBDw8WBB8GBQ5SRVBP
UlQgTUFOQUdFUh8HBRp%
2BL1BhZ2VzL1JlcG9ydE1hbmFnZXIuYXNweGRkAgIPDxYEHwYFClBSSVZJTEVHRVMfBwUdfi9QYWdlcy9Q
cml2aWxlZGdlU2NyZWVuLmFzcHhkZAIDDw8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBwUdfi9QYWdlcy9TZ
WxlY3RQcmltZVVzZXJzLmFzcHhkZAIEDw8WBB8GBRBHUk9VUCBNQU5BR0VNRU5UHwcFHn4vUGFnZXM
vU2VsZWN0UHJpbWVHcm91cHMuYXNweGRkAgUPDxYEHwYFEVJFUE9SVCBNQU5BR0VNRU5UHwcFHn4
vUGFnZXMvU2VsZWN0U1NSU1JlcG9ydHMuYXNweGRkAgUPZBYCAgEPZBYIAgMPDxYCHwBoZGQCCQ8U
KwACFCsAAhQrAAIPFgIfAGhkEBYBZhYBFCsAAg8WBh8GBQ1QUklNRSBSZXBvcnRzHglBbGxvd0Ryb3BoH
glBbGxvd0RyYWdoZBAWAmYCARYCFCsAAg8WAh8GBRpOYXRpb25hbCBJbmRpY2F0b3IgUmVwb3J0c2Q
QFjpmAgECAgIDAgQCBQIGAgcCCAIJAgoCCwIMAg0CDgIPAhACEQISAhMCFAIVAhYCFwIYAhkCGgIbAhw
CHQIeAh8CIAIhAiICIwIkAiUCJgInAigCKQIqAisCLAItAi4CLwIwAjECMgIzAjQCNQI2AjcCOAI5FjoUKwACDx
YIH
Attack Response: HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 148
Content-Type: text/html; charset=utf-8
Date: Sat, 10 Oct 2009 14:56:00 GMT
133|error|500|The name 'neutral<sCrIpT>alert(46781)</sCrIpT>' contains characters that are not
valid for a Culture or Region.
Parameter name: name|