Checking if .NET’s HtmlAnchor Href property is vulnerable to XSS
I was reviewing an app’s code and it looked like there was an XSS injection vector into the .NET’s built in HtmlAnchor Href property.
To make sure this happened, I quickly wrote the following script which allowed me to confirm that YES that property is vulnerable to XSS:
var stringWriter = new System.IO.StringWriter(); var htmlTextWriter = new HtmlTextWriter(stringWriter); var htmlAnchor = new System.Web.UI.HtmlControls.HtmlAnchor(); htmlAnchor.Title ="title"; htmlAnchor.HRef ="sadfasdf'<>\">aaa"; htmlAnchor.RenderControl(htmlTextWriter); //htmlAnchor.details(); return stringWriter.str(); //using System.Web.UI;
On the screenshot below you can see that none of the chars were encoded:
So the result in the ‘Output’ window shows the value put on the htmlAnchor.HRef ( the payload “sadfasdf'<>\”>aaa”), it is not encoded.
To really test this, lets try it on web page.
This next script will put the payload on an IE object:
var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); var stringWriter = new System.IO.StringWriter(); var htmlTextWriter = new HtmlTextWriter(stringWriter); var htmlAnchor = new System.Web.UI.HtmlControls.HtmlAnchor(); htmlAnchor.Title ="title"; htmlAnchor.HRef ="<a href="http://www.google.com'%3c%3e/%22%3Eaaa">http://www.google.com'<>\">aaa</a>"; htmlAnchor.RenderControl(htmlTextWriter); ie.open("about:blank"); var html = "<html><body><h1>XSS on HtmlAnchor Href tag</h1>" + "before anchor<br/>" + stringWriter.str() + "<br/>after anchor</body></html>"; ie.html(html); //using System.Web.UI; //using O2.XRules.Database.Utils.O2 //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Ref:Microsoft.mshtml.dll
which looks like this:
Note how the payload in the html achor breaks the html element and is shown on the page.
To really check if this is a problem let try this on a real ASP.NET page .
For that, open the Util – Aspx PoC Builder.h2 script ,which you can find here:
… and looks like this when opened:
This control will fire up a local webserver on (the directory specified on the left) and will give us a quick way to write ASP.NET Pocs
For this example lets create file called AnchorTag.aspx in an ASP.NET Controls folder
… and use the content from http://www.w3schools.com/aspnet/showasp.asp?filename=demo_htmlanchor with a small modification: On line 4 add ?value=” + Request(“payload”) to the Href value (so that we can put a payload via the Querystring or POST request)
link1.HRef="<a href="http://www.w3schools.com/?value">http://www.w3schools.com/?value</a>=" + Request("payload")
This is what it looks like when executed:
We can now add a variable called payload to the QueryString :
… which if containing a “ and a > will break the Html Anchor Element
Since when we are inside Html attribute the “ (and an =) is all we need to put in an XSS payload, we can popup an alert using ” onmouseover=”alert(12)
Bypassing ASP.NET Validation
What is interresting (and dangerous) and this exploit vector is that it bypasses ASP.NET validation.
For example if we use a payload that has a valid Html tag (payload=“aaaa”> <h1>XSS</h1>) we will get this error:
No comments yet.