• fdevedrines
  • NEWBIE
  • 0 Points
  • Member since 2010

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 0
    Replies

We ran into a cross site scripting vulnerability and found out it was a problem caused by a bug in the Microsoft ASP.net Ajax Control Toolkit <http://www.asp.net/(S(vovsvx454o5rex452c4ypcy3))/ajax/>.  We were able to implement and verify a fix since this is an open source project.
 
We realize this security bug will potentially affect other Salesforce AppExchange applications that use the Microsoft ASP.net Control Toolkit hence this post.

 

Here are the details from the Burp scanning report

 

The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b05b\'%3balert(1)//508e8ca2e0a was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 6b05b\\';alert(1)//508e8ca2e0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

 

The mitigation is two fold:
1) Encapsulate the request parameter in double quotation marks
2) Validate the request parameter and trim any potential malicious data

 

The patch is available at http://ajax.codeplex.com/Project/Download/FileDownload.aspx?DownloadId=108879

 

Thanks,

Frederic de Vedrines

 

http://www.nirvaha.com

We ran into a cross site scripting vulnerability and found out it was a problem caused by a bug in the Microsoft ASP.net Ajax Control Toolkit <http://www.asp.net/(S(vovsvx454o5rex452c4ypcy3))/ajax/> .  We were able to implement and verify a fix since this is an open source project.
 
We realize this security bug will potentially affect other Salesforce AppExchange applications that use the Microsoft ASP.net Control Toolkit hence this post.

 

Here are the details

 

The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b05b\'%3balert(1)//508e8ca2e0a was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 6b05b\\';alert(1)//508e8ca2e0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

 

The mitigation is two fold:
1) Encapsulate the request parameter in double quotation marks
2) Validate the request parameter and trim any potential malicious data

 

The patch is available at http://ajax.codeplex.com/Project/Download/FileDownload.aspx?DownloadId=108879

 

Thanks,

Frederic de Vedrines

 

Nirvaha

http://www.nirvaha.com

Message Edited by fdevedrines on 03-01-2010 01:54 PM
Message Edited by fdevedrines on 03-01-2010 01:54 PM