Skip to main content

Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability

Symptom

PCI or other vulnerability scans have reported a finding (CVE-2008-3842 and CVE-2008-3843) related to Cross-Site Scripting (XSS) vulnerability on a .NET Framework 1.1, 2.0, 3.0 or 3.5.

Warning

Impact: Attackers can potentially launch XSS attacks against vulnerable applications that solely rely on ASP.NET ValidateRequest filters. This type of attack can result in defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorized third parties.

Applies to

SecureAuth IdP Version

OS Version

Microsoft ASP.NET CLR Versions

7.x+

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

  • 1.1.4322.2407 and 2.0.50727 used in ASP.NET version 1.0 through 3.5

    For a detailed description of CLR versions and ASP.NET version, refer to the .NET Framework

Cause

ASP.NET is a Web application framework developed by Microsoft. validateRequest filters is a feature of ASP.NET that prevents the server from accepting content containing non-encoded HTML, a feature designed to help prevent some script-injection attacks in which client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users.

Microsoft ASP.NET validateRequest filters could allow a remote attacker to bypass its filters and conduct cross-site scripting attacks using a less-than slash (</) and less-than tilde slash (<~/) sequence. These vulnerabilities are described in CVE-2008-3842 and CVE-2008-3843. This QID does not actively check for the XSS in the Web application, but relies on the ASP.NET banner version.

Notice

To confirm the vulnerability, run a web application scan

Resolution

CVE-2008-3842 - The issue described in CVE-2008-3842 is fixed by the MS07-040 update

Verify the latest patches have been applied to the SecureAuth IdP Appliance

Note

Refer to the support document Antivirus and Patch Management Best Practices for SecureAuth IdP Appliances for guidelines on how to apply patches to a SecureAuth IdP Appliance

CVE-2008-3843 - No patches are available for CVE-2008-3843

The vulnerability is mitigated by not relying on the validateRequest filters delivered with ASP.NET, by using custom input filters and secure coding practices

The SecureAuth IdP Web application does not use the built-in .NET "validateRequest" filter. In the SecureAuth IdP Application realm web.config files, the following is specified

<pages validateRequest="false" maintainScrollPositionOnPostBack="false" />

which indicates SecureAuth IdP does not use / rely on the built-in validateRequest filter by ASP.NET

Additionally, all SecureAuth IdP websites and Virtual Directories run on the .NET 4.0 or .NET 4.5 Framework