Webresource.axd injection concern

2 posts, 1 answers
  1. Jeff Cuscutis
    Jeff Cuscutis avatar
    4 posts
    Member since:
    Apr 2010

    Posted 24 Oct 2018 Link to this post

    As part of our company’s security test they have asked us to find out the following:

    Issue:
    Our client exposed site is requesting Webresource.axd file with paramaters d and t as part of the web request but when the value of t parameter is modified as part of a penetration test it seems to comeback with an OK(200) responds instead of a custom error from our site.

    Question:
    Are you guys processing the t paramater as part of the GET request to Webrescource.axd? If you are, what do you expect to have in that t parameter as part of your processing (ex t is a timestamp or t is a number)?
  2. Answer
    Marin Bratanov
    Admin
    Marin Bratanov avatar
    5809 posts

    Posted 27 Oct 2018 Link to this post

    Hello Jeff,

    WebResource.axd is the native MS AJAX framework web resource handler and its URL encryption, decryption and processing are done by the .NET framework. The "t" parameter is a timestamp and the "d" parameter holds information on the resource(s) that will be returned. You can read more about this in the net, for example the following articles can be a good starting point:

    Those resources are static resources from assemblies and they are usually also available on a CDN (e.g., the MS AJAX framework scripts, or the Telerik scripts/stylesheets). This handler does not process user input and does not do database operations. With this in mind, I am not aware of any security vulnerabilities in it.

    If you want to reduce webresource handler usage, you can use the Telerik scripts CDN, the Telerik skins CDN and the MS AJAX scripts CDN. In such a case some dialogs, the binary image and file uploads will keep using the Telerik webresources, however.

    To also answer the concrete question - t is supposed to be a timestamp, yet I have not investigated the internals of the framework and I would not be surprised if it can take a range of arguments (mostly because time can often be represented with a number of ticks, which is why using a number might just work). So, if the timestamp argument is changed, but it can still be parsed, you will get the resource. My personal suspicion is that the t parameter is largely ignored.


    Regards,
    Marin Bratanov
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Back to Top