Thread subject: Security Override :: Help with ASP.NET XSS

Posted by ChaoticWind on 04/11/2014 12:41:27
#1

I'm pretty new to XSS, and this post may be a bit long so please bear with me.

I have a page that uses ASP.NET 1.1.4233 to login, when the login fails it shows at the top of the page "Username [username] not valid". When I put
Code
<IMG SRC="http://foor.com/bar.png" >


in the Username box, it shows the image because it does not sanitize the input and proves that code can be injected into the page. Now I want to create a URL that passes that to the page when clicked on. The page uses POST to pass the variables when you try to login, so I tried to create a page that had something like:
Code

<form method="POST" action="https://example.com/Default.aspx" name="FormX" >
<input type="hidden" name="username" value="X<IMG SRC="http://foo.com/bar.png" >" />
<input type="hidden" name="pass" value="fail" />
<script>
document.FormX.submit();       
</script>
</form>




But when I would click on it, I would be taken to the normal page and nothing would happen. So then I tried to use the __VIEWSTATE variable in the url like so:
Code

This works for a little while but after like 5 minutes when I try to go to the link, I am redirected to the site's /DefaultErrorPage.aspx?aspxerrorpath=/SA/Default.aspx which says:

Error Message:Username and password combination not valid!
Technical Message:Thread was being aborted.
Calling Stack:_btnLogin_ClickParameter List:

Does anyone know why it only works for a few minutes or how I can make the url last longer? Again, I'm pretty new to XSS, and I don't know much about ASP.NET.

Edited by ChaoticWind on 04/11/2014 12:53:04