Webresource.axd injection concern

WebResource.axd is the native MS AJAX framework web resource handler and its URL encryption, decryption and processing are done by the .NET framework. The "t" parameter is a timestamp and the "d" parameter holds information on the resource(s) that will be returned. You can read more about this in the net, for example the following articles can be a good starting point:

• https://stackoverflow.com/questions/13634621/how-are-parameters-for-scriptresource-axd-calls-generated
• http://bchavez.bitarmory.com/archive/2008/07/28/understanding-scriptresource-and-webresource-in-asp.net.aspx
• https://resources.infosecinstitute.com/the-asp-net-internals
• http://scottonwriting.net/sowblog/archive/2010/10/28/just-where-is-webresource-axd.aspx
• https://siderite.blogspot.com/2007/10/webresourceaxd-or-how-i-learned-to-love.html

Those resources are static resources from assemblies and they are usually also available on a CDN (e.g., the MS AJAX framework scripts, or the Telerik scripts/stylesheets). This handler does not process user input and does not do database operations. With this in mind, I am not aware of any security vulnerabilities in it.

If you want to reduce webresource handler usage, you can use the Telerik scripts CDN, the Telerik skins CDN and the MS AJAX scripts CDN. In such a case some dialogs, the binary image and file uploads will keep using the Telerik webresources, however.

To also answer the concrete question - t is supposed to be a timestamp, yet I have not investigated the internals of the framework and I would not be surprised if it can take a range of arguments (mostly because time can often be represented with a number of ticks, which is why using a number might just work). So, if the timestamp argument is changed, but it can still be parsed, you will get the resource. My personal suspicion is that the t parameter is largely ignored.