Users login

Create an account »


Users login

Home » Hacking News » IIS universal cross site scripting

IIS universal cross site scripting

by Nikola Strahija on April 12th, 2002 Vulnerabilities adressed: stealing cookies from any IIS site, cross-domain scripting to any IIS site, hijacking Hotmail and Passport accounts, elevating priveleges through ActiveX components, hijacking the MSN Messenger client...

Vulnerable versions:
IIS 5.1

Every time IIS encounters a HTTP 404 errorcode, it will display a "404 not
found" page.
This HTML file uses scripting to output a link to the SERVER.TLD part of the
URL, and by crafting a specially formed URL it is possible to include
arbitrary script commands on the 404 page, thereby enabling
CrossSiteScripting on any IIS site.
If we look at 404.htm we will notice a particular line of code:
document.write( '<A HREF="' + escape(urlresult) + '">' + displayresult +
displayResult is derived from the first instance of :// in the URL until the
next instance of /.
This means that we will have to include our script code before the path part
of the URL. To accomplish this we include our script code in the Basic
Authentication part of the URL, but we first have to escape any special
characters in the code. Any / character will end displayresult prematurely
and any spaces will corrupt the DNS lookup, and we therefor replace any
space with a TAB (%09) and any / with %5Cx2f (x2f, as we will dynamically
reference an external file).

Proof of concept is available here.

Apply the MS02-018 patch, or delete the default 404 errorhandler page.

CrossSiteScripting is a term that describes the injection of script code on
foreign sites. A very likely scenario is where a malicious programmer would
inject code on e.g. to steal a victims cookies, allowing him/her
to hijack the victims email account.
The default installation of IIS is suspectible to such a CSS error.

Vulnerability discovered by Thor Larholm.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »