Request.PathInfo issues and XSS attacks

旧街凉风 提交于 2020-06-27 12:16:48

问题


I have a couple of websites running on .NET 3.5 still due to an API restriction. We will eventually move these sites to the latest .NET version this year. One of the penetration tests indicated a possible XSS vulnerability. The URL in question is:

Location: http://www.foobar.com/basket.aspx/scripts/searchresults.aspx

Method: GET

Vulnerable Parameter: name of an arbitrarily supplied URL parameter

Basically, anything after basket.aspx like scripts/searchresults.aspx will cause the issue. From what I can determine, Request.PathInfo will try to find the path and eventually reach searchresults.aspx (if the .aspx page exists) but all my CSS and scripts can't be found due to relative paths. The page essentially breaks. It's unclear how this could cause an XSS vulnerability. Nevertheless, it does break the page.

My question: Is Request.PathInfo needed? In my preliminary tests, if I check Request.PathInfo, I can determine that it may be a bad URL request:

FooBar.Global pageObj = obj;

if (obj.Request.PathInfo.Length > 0)
{
   Response.Redirect("~/sitemap.aspx", true); // bad url send to site map
}

回答1:


Is Request.PathInfo needed?

PathInfo isn't required by ASP.NET WebForms. It can be helpful for search engine optimization, but if you don't use it, go ahead and disable it. You can add your code snippet, or you can install UrlScan and set the AllowDotInPath option to 0.

How could this cause an XSS vulnerability?

Your page may be vulnerable to a Relative Path Overwrite (RPO) attack if all these criteria are met:

  1. An attacker can inject content (for example, a blog comment) somewhere into the page.
  2. Your page references a CSS stylesheet via a relative path.
  3. PathInfo is enabled.

By appending PathInfo to the URL, an attacker can cause your page to load itself as the stylesheet because ASP.NET resolves Page.aspx/Master.css to just Page.aspx, not to Master.css. Due to the lax (by design) parsing rules for CSS, the attacker's content may be interpreted as valid CSS, which is especially bad for old versions of Internet Explorer that allow JavaScript in CSS. Even in modern browsers, a malicious stylesheet can inject content that misleads other users.

I want to use PathInfo. How can I mitigate this vulnerability?

Use absolute paths to reference all CSS stylesheets. For example, you can call the ResolveUrl method with an app-relative path (a virtual path starting with ~/):

<link href='<%= this.ResolveUrl("~/App_Themes/MySite/Master.css") %>' rel="stylesheet" type="text/css" />

Caution: Don't use the ResolveClientUrl method because it returns a relative path.




回答2:


It sounds to me like the pentester noticed that if they supplied a URL like:

http://www.foobar.com/basket.aspx/scripts/searchresults.aspx?foo=bar

That the resulting page would have foo=bar somewhere in there. This would be vulnerable to XSS unless proper escaping was used, since someone could submit JavaScript as part of that value.



来源:https://stackoverflow.com/questions/42211237/request-pathinfo-issues-and-xss-attacks

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!