0

Can anyone point me in the right direction with the following question.

The default "Dangerous Request" validation in ASP.NET prohibits inputs like

"<p", "<p>" or "<script>"

but at the same time allows inputs like

"<%script>" or "<.script>"

What is the rational here?

lekso
  • 1,731
  • 3
  • 24
  • 46

1 Answers1

2

<p, <p> or <script>

These look like HTML/XML tags.

<%script> or <.script>

but these do not.

And the validation is trying to stop cross site scripting, eg. submitting a field containing:

<script>alert("You're powned!")</script>

(except truly malicious) and when you just write that text back to the user without being careful to encode correctly the user has just injected code into your website.

Richard
  • 106,783
  • 21
  • 203
  • 265
  • Thanks Richard, I am kinda more asking a question why is "

     – lekso Aug 11 '15 at 12:40
  • 1
    @lekso Because your browser does not consider `<%script` to start a script element (unless it is *very* broken): for a start `%` is not a valid character in an element name. – Richard Aug 11 '15 at 12:43
  • I'll give a reason for asking: we have this being flagged as a penetration testing issue. I'm trying to asses the risks – lekso Aug 11 '15 at 12:44
  • 1
    @lekso In that case ask the pen testers how `<%script>` is exploitable. – Richard Aug 11 '15 at 13:04
  • We asked. He said that he didn't find the way to exploit it, but this can be a vulnerability for future attacks – lekso Aug 11 '15 at 13:16
  • 1
    @lekso On that logic everything that isn't precisely valid data "could be a vulnerability for future attacks": you can either use the tools provided or write your own. Perhaps time to escalate this as (1) it is not currently a vulnerability, (2) it will cost $$$ to block something that may never be a thread. Security is always a compromise between usability, cost and risk.. – Richard Aug 11 '15 at 13:40