This is a migrated thread and some comments may be shown as answers.

Webresource.axd injection concern

1 Answer 1233 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Jeff Cuscutis
Top achievements
Rank 1
Jeff Cuscutis asked on 24 Oct 2018, 01:47 PM
As part of our company’s security test they have asked us to find out the following:

Issue:
Our client exposed site is requesting Webresource.axd file with paramaters d and t as part of the web request but when the value of t parameter is modified as part of a penetration test it seems to comeback with an OK(200) responds instead of a custom error from our site.

Question:
Are you guys processing the t paramater as part of the GET request to Webrescource.axd? If you are, what do you expect to have in that t parameter as part of your processing (ex t is a timestamp or t is a number)?

1 Answer, 1 is accepted

Sort by
0
Accepted
Marin Bratanov
Telerik team
answered on 27 Oct 2018, 04:26 PM
Hello Jeff,

WebResource.axd is the native MS AJAX framework web resource handler and its URL encryption, decryption and processing are done by the .NET framework. The "t" parameter is a timestamp and the "d" parameter holds information on the resource(s) that will be returned. You can read more about this in the net, for example the following articles can be a good starting point:

Those resources are static resources from assemblies and they are usually also available on a CDN (e.g., the MS AJAX framework scripts, or the Telerik scripts/stylesheets). This handler does not process user input and does not do database operations. With this in mind, I am not aware of any security vulnerabilities in it.

If you want to reduce webresource handler usage, you can use the Telerik scripts CDN, the Telerik skins CDN and the MS AJAX scripts CDN. In such a case some dialogs, the binary image and file uploads will keep using the Telerik webresources, however.

To also answer the concrete question - t is supposed to be a timestamp, yet I have not investigated the internals of the framework and I would not be surprised if it can take a range of arguments (mostly because time can often be represented with a number of ticks, which is why using a number might just work). So, if the timestamp argument is changed, but it can still be parsed, you will get the resource. My personal suspicion is that the t parameter is largely ignored.


Regards,
Marin Bratanov
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Tags
General Discussions
Asked by
Jeff Cuscutis
Top achievements
Rank 1
Answers by
Marin Bratanov
Telerik team
Share this question
or