Re: Cross Site Scripting & Custom Error Pages

From: Peter Blum (PLBlum_at_Blum.info)
Date: 12/22/04

Next message: Scott Leonard: "Re: Security Exception - Winform usercontrol hosted in ASP.NET"
Previous message: mostro: "Bypassing a session ID?"
In reply to: Neil: "Cross Site Scripting & Custom Error Pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Dec 2004 12:57:48 -0500

Its good to see someone actually paying attention to this common hacking
technique. Microsoft promoted the heck out of the issue last year and as
this message board indicates, it fell on deaf ears.

I didn't understand what you meant here. How exactly are you appending the
script and where is it directed?
> However if after being redirected to the
> custom error page I append script to the query string this is not removed
> and
> I'm presented with the default page telling me to create a custom error
> page,
> I guess you can't have a custom error page for a custom error page

You are correct that you cannot have a custom error page for a custom error
page.
You can turn off the validationRequest property on the custom error page so
it never looks at the incoming script (because its harmless to that page).
<@ Page validationRequest=false >

FYI: I built "Visual Input Security", a tool for ASP.NET developers to
install protection against XSS, SQL injection and other input attacks using
best practice techniques. It includes report that audits your pages for
holes, logging feature, and validators that block attacks better and on a
field-by-field basis. http://www.peterblum.com/vise/home.aspx.

--- Peter Blum
www.PeterBlum.com
Email: PLBlum@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Neil" <Neil@discussions.microsoft.com> wrote in message
news:CC58FDCF-EB5C-4F91-89AA-9317B8CE0DFE@microsoft.com...
> Hi,
>
> I have been investigating CSS vulnerabilites within my application and
> have
> a question. If I added malicious script tags to the Url these are
> automatically removed from all pages of my application and the user is
> redirected to my custom error page. This is all taken care of by the .Net
> Runtime and works as expected. However if after being redirected to the
> custom error page I append script to the query string this is not removed
> and
> I'm presented with the default page telling me to create a custom error
> page,
> I guess you can't have a custom error page for a custom error page... My
> question is should I be concerned about this? Should the script tags not
> be
> removed?
>
> Thanks

Next message: Scott Leonard: "Re: Security Exception - Winform usercontrol hosted in ASP.NET"
Previous message: mostro: "Bypassing a session ID?"
In reply to: Neil: "Cross Site Scripting & Custom Error Pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: strange asp 500 error reports download
... The behaviour that you were seeing would occur if you have the custom error ... type set to "file" rather than "URL". ... :> If it exists, select it and click Edit, then make sure "Script Engine" ... :>> i have a strange issue with asp error details... ...
(microsoft.public.inetserver.iis)
Server.EXECUTE halts page execution in Custom Error pages
... Hi, I noticed a bizarre issue recently, and was wondering if anyone ... calls Server.EXECUTE on another file from within the script. ... When the an error is generated, the execution of the error ... * Custom Error Page Execution Begun ...
(microsoft.public.inetserver.iis.activeserverpages)