-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi kuza55, Are you trying the payload that includes the tilde or the one without? The one with the tilde (~) only works if the payload returns after an opening angle bracket (<). Please see: http://www.procheckup.com/Vulnerability_PR08-20.php And yes, it also works on IE7. Just tried it on a live environment last week. kuza55 wrote: > Sorry for digging this up, but I can't replicate your findings on the > IE7 version you claim is vulnerable on your advisory. > > Your paper seems to say you only tested this on IE 5.5 and IE6 (no > mention of IE7), so does is that the case, or am I just doing it > wrong? > > 2008/8/22 ProCheckUp Research <research@xxxxxxxxxxxxxx>: > The Microsoft .NET framework comes with a request validation feature, > configurable by the ValidateRequest setting. ValidateRequest has been a > feature of ASP.NET since version 1.1. This feature consists of a series > of filters, designed to prevent classic web input validation attacks > such as HTML injection and XSS (Cross-site Scripting). This paper > introduces script injection payloads that bypass ASP .NET web validation > filters and also details the trial-and-error procedure that was followed > to reverse-engineer such filters by analyzing .NET debug errors. > > The original version of this paper was released in January 2006 for > private CPNI distribution. This paper has now been updated in August > 2008 to include additional materials such as input payloads that bypass > the latest anti-XSS .NET patches (MS07-40) released in July 2007. > > Paper: > > http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf > > > Advisory: > > http://www.procheckup.com/Vulnerability_PR08-20.php >> - ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec >> Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ >> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxN1JoR/Hvsj3i8sRAv14AKCa6DCX9aUmEOMoey8BKxwFTDJHdgCeK6yG Cs+5wbxgZollx7U0qQYX/F0= =RU0G -----END PGP SIGNATURE-----
