Sunday 6 November 2011

ASP.NET Anchor tag allows XSS payloads, is this a vulnerability on the .NET Framework?

I just posted a blog entry on an O2 script I wrote a couple days ago that checked if the HREF tag in ASP.NET HtmlAnchor control is vulnerable to XSS: http://o2platform.wordpress.com/2011/11/06/checking-if-nets-htmlanchor-href-property-is-vulnerable-to-xss/

There are a number of really cool techniques on this script:
  • Render the Html Tag control in isolation (which will allow these tests to be run from vanilla UnitTests)
  • Quickly put Html content in a browser and see what it looks like
  • Quickly fire-up an .NET Webserver on a local directory, create a test *.aspx page, and see its contents (rendered from the ASP.NET server)
  • Test some payloads on the *.aspx page and confirm (or not) the exploitability of this control (a good follow-up script to write is to run the FuzzDB on this property and see which ones work)
Since it is safe to assume that the Href from an HtmlAnchor should not have " (and other dangerous chars) in its rendered text (it should be encoded), shouldn't this be classified as a vulnerability in the Asp.Net Framework? Specially since it bypasses the ASP.NET build-in validation.

Is this documented somewhere? I know there is (somewhere) a list of all ASP.NET mappings (so it should be there), but I just looked at the MS pages for the HtmlAnchor tag and there is no mention in there for the security implications of this: