All geek questions in one place

Asp.Net webresource.axd open redirect security flaw?

Running WebResource.axd through active scanning Burpe Suites indicated a possible lack of open redirection in the WebForm_DoCallback function. This function creates a message based on the generated URL. The generated url is based on the URL of the form action or document.location.pathname I did not understand where my site uses this method, and I did not find a way to offend it. How can anyone abuse this? This is the corresponding function. Comments include a potential problem.

var xmlRequest,e; try { xmlRequest = new XMLHttpRequest(); } catch(e) { try { xmlRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { } } var setRequestHeaderMethodExists = true; try { setRequestHeaderMethodExists = (xmlRequest && xmlRequest.setRequestHeader); } catch(e) {} var callback = new Object(); callback.eventCallback = eventCallback; callback.context = context; callback.errorCallback = errorCallback; callback.async = useAsync; var callbackIndex = WebForm_FillFirstAvailableSlot(__pendingCallbacks, callback); if (!useAsync) { if (__synchronousCallBackIndex != -1) { __pendingCallbacks[__synchronousCallBackIndex] = null; } __synchronousCallBackIndex = callbackIndex; } if (setRequestHeaderMethodExists) { xmlRequest.onreadystatechange = WebForm_CallbackComplete; callback.xmlRequest = xmlRequest; // action is set to the url of the form or current path. //fragmentIndex is set to the index of # in the url var action = theForm.action || document.location.pathname, fragmentIndex = action.indexOf('#'); if (fragmentIndex !== -1) { //action is set to index of start to the position of fragmentIndex action = action.substr(0, fragmentIndex); } //From somewhere else in the script. //var __nonMSDOMBrowser = (window.navigator.appName.toLowerCase().indexOf('explorer') == -1) if (!__nonMSDOMBrowser) { var queryIndex = action.indexOf('?'); if (queryIndex !== -1) { var path = action.substr(0, queryIndex); if (path.indexOf("%") === -1) { action = encodeURI(path) + action.substr(queryIndex); } } else if (action.indexOf("%") === -1) { action = encodeURI(action); } } //post to the generated url. xmlRequest.open("POST", action, true); xmlRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8"); xmlRequest.send(postData); return; }
+6
source share

No one has answered this question yet.

See related questions:

Source: https://habr.com/ru/post/977768/

More articles:


All Articles