7

Running WebResource.axd through Burpe Suite’s active scan gave indication of a possible open redirection flaw in the function WebForm_DoCallback. This function does a post based upon a generated url. The generated url is based upon the form action url or document.location.pathname I have not figured out where my site is using this method, nor have I found a way to abuse it. How can anyone abuse this? This is the relevant function. The comments include the potential problem.

var xmlRequest,e;
try {
    xmlRequest = new XMLHttpRequest();
}
catch(e) {
    try {
        xmlRequest = new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch(e) {
    }
}
var setRequestHeaderMethodExists = true;
try {
    setRequestHeaderMethodExists = (xmlRequest && xmlRequest.setRequestHeader);
}
catch(e) {}
var callback = new Object();
callback.eventCallback = eventCallback;
callback.context = context;
callback.errorCallback = errorCallback;
callback.async = useAsync;
var callbackIndex = WebForm_FillFirstAvailableSlot(__pendingCallbacks, callback);
if (!useAsync) {
    if (__synchronousCallBackIndex != -1) {
        __pendingCallbacks[__synchronousCallBackIndex] = null;
    }
    __synchronousCallBackIndex = callbackIndex;
}
if (setRequestHeaderMethodExists) {
    xmlRequest.onreadystatechange = WebForm_CallbackComplete;
    callback.xmlRequest = xmlRequest;
    // action is set to the url of the form or current path.
    //fragmentIndex is set to the index of # in the url
    var action = theForm.action || document.location.pathname, fragmentIndex = action.indexOf('#');
    if (fragmentIndex !== -1) {
        //action is set to index of start to the position of fragmentIndex
        action = action.substr(0, fragmentIndex);
    }
    //From somewhere else in the script.
    //var __nonMSDOMBrowser = (window.navigator.appName.toLowerCase().indexOf('explorer') == -1)
    if (!__nonMSDOMBrowser) {
        var queryIndex = action.indexOf('?');
        if (queryIndex !== -1) {
            var path = action.substr(0, queryIndex);
            if (path.indexOf("%") === -1) {
                action = encodeURI(path) + action.substr(queryIndex);
            }
        }
        else if (action.indexOf("%") === -1) {
            action = encodeURI(action);
        }
    }
    //post to the generated url.
    xmlRequest.open("POST", action, true);
    xmlRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
    xmlRequest.send(postData);
    return;
}
3
  • Did you ever conclude the threat level of this issue? I'm ready to write it off, as it seems part of ASP.net core -- though, it's part of ASP.net core so maybe I shouldn't write it off, haha.
    – Lotus
    Feb 20, 2015 at 23:07
  • This sounds like a question that should be officially brought to Microsoft's attention on MSConnect, not necessarily posted here. Feb 28, 2015 at 15:18
  • I have not concluded 100%, although I’m pretty sure this is not a problem.
    – Frode
    Mar 9, 2015 at 9:50

0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.