Thank you all for the replies, Unfortunately, I can no longer really test this (it was on some internal network, so for example link shortening wouldn't work), but I wanted to know if anyone had encountered this stuff before. I should try on a clean install as suggested - if it works I'll let you know.
For some unknown reason there was no HTML encoding in this error response, however the payload was truncated to 20 chars. I googled it and all I found was some discussion about the validateRequest attribute in web.config, however I didn't have the configuration of the server to check this. This was also part of some commercial app that uses IIS, but I think it's more related to IIS itself. Thanks all On Sat, Nov 29, 2014 at 7:37 AM, James Hooker <seidrhr...@googlemail.com> wrote: > You could skip the schema on any includes, and just use '//'. That will > then use the schema provided in the original URL. That will save you 4 > characters at least. You can also skip most quotes in tags - that will save > you a few more characters. Link shortening services might also be of use, > however one that generates links short enough might be hard to come by - > more likely, you'll need a 3 character domain, with a 2 character extension > (such as UK, or IN). > > You might be able a squeeze a script tag into that saved space.. *might* > Hello everyone, > > > I found some weird HTML code injection in an IIS error message. IIS spits > out some part of the user input that generated the error message, but will > only display 20 characters at most. > My question is: is it possible to actually exploit an XSS with this ? > > Here is an example: > > HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e > HTTP Response (real): > > <p>An error has occured.</p> > <p>Exception HttpRequestValidationException occurred while attempting > <b>mypage</b></p> > <p>Exception message is: <b>A potentially dangerous Request.QueryString > value was detected from the client (search="<b > onclick=alert(1)>...").</b></p> > <p>Stack trace:</p> > <pre> > Server stack trace: > [..] > > My payload was: <b onclick=alert(1)>> and it works (after clicking). > However, can this actually be exploited in real life ? I tried stuff in 20 > characters like: <embed src=http://x> or <img src=http://x/z> but no luck. > Has anyone ever tried this before ? > > Thanks, > > P.S. This might be a silly question with an obvious answer. If so, I'd be > grateful to have some extra information (links, docs etc.). > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
