By the Website Vulnerability Numbers: .Net XSS Request Validation Bypass

There are a million variations of Cross-Site Scripting (XSS), some more interesting than others. Back in August 2012 a post entitled, “.Net Cross Site Scripting – Request Validation Bypassing,” from Quotium caught our eye. The filter-bypass technique they described looked extremely trivial, only a single % character was necessary, but it worked all the same.

“This is caused by the fact that although ‹tag› is restricted by the Request Validation filter, ‹%tag› is not restricted but parsed by Internet Explorer browsers as a valid tag.‹%tag style=”xss:expression(alert(123))” ›

The other notable point was that for some reason, which may be entirely reasonable, Microsoft opted to NOT address the issue. .Net developers are advised that they must provide adequate defense on their own.

At WhiteHat Security, a big part of our job is helping them do exactly that. Our research team added checks to WhiteHat Sentinel to identify this XSS variant. In the months since, we scanned 10,000+ websites and waited to see if anything turned up. So far, we’ve identified exactly 20 websites that are vulnerable to this specific issue. Not a huge number in terms of percentage of websites, but there it is.



This entry was posted in Technical Insight on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Jeremiah has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Jeremiah has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Jeremiah is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, he was an information security officer at Yahoo! Jeremiah can be found on Twitter @jeremiahg.