non-persistent (reflected) XSS

[Tony]

Hi,
I've searched high and low looking for information on reflected or
non-persistent cross site scripting. An automated scan shows that my
website is vulnerable to such attacks, but everything I find when
searching just talks about validating inputs, which I do.

The information is appended to the URL, but they're not querystring
elements that I'm processing and I don't know why the stuff is being
embedded into the page.

This is an example of what's appended to the url:
?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>

though it would be encoded thus
?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscript%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECTED%22%29%3C%2FsCriPt%3E=1

The site is running ASP.NET 2 and the server is IIS7

Any help would be greatly appreciated.
Tony

 

[Joe Kaplan]

There must be some code that reads the query string and returns the text as
part of the page. If it isn't in your code directly, it could be a third
party component or module that you might be using.

I'd do some searching in the code to find where the query string is being
accessed though.

 

[Tony]

Hi Joe,
Thanks for the response. It seems it was IIS7 that was outputing the
code into the page, for whatever reason I don't know, seems a bit stupid
to me. Anyway the problem has been resolved using UrlScan, which stops
the dodgy request from reaching IIS.

I now know that this isn't a asp.net security problem as such, but I've
posted the update here in case anyone else has a similar problem and
mistakenly thinks asp.net is at fault.

Tony

 

[Joe Kaplan]

URLScan is typically a good idea so that's probably a good place for you to
have ended up. It sounds weird that something built in to IIS7 would have
an XSS vulnerability in it, but I guess you never know...