I got this burp vulnerability report - External service interaction (DNS)
XML is injected in the URL Path. I wonder if anyone has any idea how to prevent this.
I'm working on a web application using Visual Studio with WebForms C#.
I was thinking maybe it could be prevented from IIS or the web.config file but I'm not sure.
Issue Details
It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names. The payload:
<iaz xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="http://o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo"/>
</iaz>
... was submitted in the URL path filename. This payload contains some XML with an XInclude expression that references a URL on an external domain.
The application performed a DNS lookup of the specified domain, indicating that the XML parser processed the injected XInclude definition.
GET /ViewEmployee/%3ciaz%20xmlns%3axi%3d%22http%3a//www.w3.org/2001/XInclude%22%3e%3cxi%3ainclude%20href%3d%22http%3a//o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo%22/%3e%3c/iaz%3e?RequestId=428 HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Related
I currently am working on a new project which will contain of a client in JavaScript with socket.io and a server in C#.
However, I have no clue how to respond to the data sent when I connect my client to the server.
In my JavaScript I have:
var socket = io('http://127.0.0.1:30000');
And I have SocketTest open and a server started on port 30000. SocketTest will receive the following data:
GET /socket.io/?EIO=3&transport=polling&t=MDMuIkH HTTP/1.1
Host: 127.0.0.1:30000
Connection: keep-alive
Accept: */*
Origin: http://127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Referer: http://127.0.0.1:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: SOME COOKIE DATA
What do I correctly send back to the client with this?
Take a look here: C# Server Socket Program
You have to do networkStream.Read and networkStream.Write and whatever you decide to write back, you just need to interpret correctly on the JavaScript side.However
I suggest you take a look at JSON and maybe the following site because you are doing things that have been done for you already. Posting URL-encoded key values with HttpClient
The server is connected to the Port 30000, so you need to reads data from NetworkStream , and also write to the NetworkStream .
I am currently building a windows store application and I am running into what I now think is a bug.
All my http requests fail except when I make a change to the application manifest then they will work on the first run but straight after that the next web request will fail.
The strange thing is that in order for me to get it to work again I will have to remove a capability from the manifest, even if it is an important one such as the internet capability then the application will work!
Here are the headers I am passing in my HttpClient request:
requestMessage.Headers.TryAddWithoutValidation("Connection", "keep-alive");
requestMessage.Headers.TryAddWithoutValidation("Accept-Encoding", "gzip, deflate, sdch");
requestMessage.Headers.TryAddWithoutValidation("Accept-Language", "en-US,en;q=0.8");
requestMessage.Headers.TryAddWithoutValidation("Host", "xx.xx.x.xxx");
requestMessage.Headers.TryAddWithoutValidation("Cache-Control", "no-cache");
requestMessage.Headers.TryAddWithoutValidation("User-Agent", "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36");
requestMessage.Headers.TryAddWithoutValidation("Upgrade-Insecure-Requests", "1");
Even when I get a web request to hit the server it will always fail on the next call.
Here is the exception I get when it fails:
InnerException = {"An attempt was made to access a socket in a way forbidden by its access permissions 10.98.0.181:80"}
We have deployed the Web API services on IIS and the application is running on a tablet that connects to the server using a VPN.
The tablet is running Symantic Endpoint Protection which is managed externally.
Is there a caching option I can turn of on the device that could be causing this or a setting I have overlooked?
I have implemented Unity.mvc3 into my project but now my Knockout AJAX methods are starting a Longpolling process and I do not know why, can anyone help please?
This is the JSON response (I have not got a clue why I am getting
this)- {"C":"d-13044D90-B,0|E,2|F,0","M":[]}
A%2F%2Flocalhost%3A1764%2Findex.html&browserName=Chrome&tid=5&_=1403698144789
Request Method:GET Status Code:200 OK Request Headersview source
Accept:text/plain, /; q=0.01 Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache
Connection:keep-alive Content-Type:application/x-www-form-urlencoded;
charset=UTF-8
Cookie:__RequestVerificationToken=j6VFekQ7Po1EfD9wSUK4e4A_ts1SVuGIbRwDG727whnb8l--9P5v5maO-FhCOjFLitRIegjYixEX9698kZR_JWHvo7lUmFYfOwVNjwQ7Hhg1
Host:localhost:7356
Pragma:no-cache
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/35.0.1916.153 Safari/537.36 Query String
Parametersview sourceview URL encoded transport:longPolling
connectionToken:AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAANVlw/ETQ70WfNHf1KMvu6gAAAAACAAAAAAAQZgAAAAEAACAAAACnUs1Jjk7unYzODmvpJNj7Nbvay/Dx4kSOH+V/CtVDTwAAAAAOgAAAAAIAACAAAAAm7NaW0uCoayuqpNT8z8+uLy/Uio+Nbh8g+VDE0X1/8TAAAAAKXR/1gbPBSIz2WagA2zJI6Te45f63pWeiYkXBGYlYeO+WbWbkTycWNrGmRqaUY8JAAAAAsCIr6JEw/gAUfIClKEjm3cBXG3+I33yhob1f3jMrvmLQTeDC7hphp1SAz+utVN28VstEmeExHyyuycRP/upWIw==
messageId:d-13044D90-B,0|E,2|F,0
browserName:Chrome tid:5
_:1403698144789 Response Headersview source Access-Control-Allow-Credentials:true
Content-Type:application/json; charset=UTF-8 Date:Wed, 25 Jun 2014
12:09:10 GMT Server:Microsoft-HTTPAPI/2.0 Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
And this is the answer, add key="vs:EnableBrowserLink" value="false" to the web config between the appSettings tags the automatic polling has stopped, I found out this happens by default in VS2012 and now no more auto polling :-) - . I also cannot believe no one posted anything for this but anyways this worked a treat.
I use C# in my WPF Project. I want to send a GET http request to a website, but I want to send it in a way, so that it will look like a request from a browser.
Now I have a program which sends a GET request and gets a response. I use WebRequest class for sending GET requests.
I know that browsers add some information to their requests like browser name, OS name and the computer name.
My question is how can I add this information to my WebRequest? To what properties all that information (browser name, OS name) should be assigned?
You should use Fiddler to capture the request that you want to simulate.
You need to look at the inspectors > raw.
This is an example of a request to the fiddler site from chrome
GET http://fiddler2.com/ HTTP/1.1
Host: fiddler2.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36
Referer: https://www.google.be/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,nl;q=0.6
You can then set each one of these headers in your webrequest (see http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.aspx).
WebRequest request = (HttpWebRequest)WebRequest.Create("http://www.test.com");
request.UserAgent = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36";
Generally the information you are interested in (browser, os, etc.) is sent in the "User Agent" header along with the request. You can control the user agent with its property, here:
http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.useragent.aspx
There may be other differences, I recommend using Fiddler to capture your browser traffic and then compare it to the traffic from your .NET-based web request.
http://fiddler2.com/
Enjoy.
All such information is sent via header in a web request. You can also add such information in header as key/value pair. However, you have only limited attributes which you can set using WebRequest's header property; many of them are restricted. You can also check the list of restricted header attributes in the following thread: Cannot set some HTTP headers when using System.Net.WebRequest.
Context:
Hi everyone, i am trying to simulate a query on this website, but i am failing to do so.
I am using C# and a custom self developed library to Wrap the WebRequests actions making it easier to simulate Posts and Gets for Strings and Bitmaps.
Also, i'm using Fiddler2 Web Debugger to debug the web requests of the service
How to test the service Yourself:
Link to the service
Use this document on the first white box : 04034872000121
Write the captcha and click at "Consultar"
Thats it.
Problem:
After Debuging the requests with fiddler, and replicated everything on code (Cookies, Origin, Host, Postdata with a huge json and so on).
The request for the query, still not working, it redirects me to the home page again, instead of querying the document. (I am allowing "AutoRedirect" on web request object).
The only parameter that i'm not beeing able to replicate is the : GxAjaxRequest: 1
Here is the Fiddler debug feedback of the request:
POST http://sefaznet.ac.gov.br/sefazonline/servlet/hpfsincon?0898a16d81a4e94896958b17b52f252d,gx-no-cache=1354713117196 HTTP/1.1
Host: sefaznet.ac.gov.br
Connection: keep-alive
Content-Length: 1337
Origin: http://sefaznet.ac.gov.br
GxAjaxRequest: 1 **Weird Parameter. I've never saw it before.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sefaznet.ac.gov.br/sefazonline/servlet/hpfsincon
Accept-Encoding: gzip,deflate,sdch
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GX_SESSION_ID=vSLRLKed3eXJGMBorGepVtQkJOQ1I3o0EBUVzT0g%2BI8%3D; JSESSIONID=af2ba968b7889ec8869caaaba281
vNUMDOC=04034872000121&cfield=chin&BUTTON1=Consultar&BTN_VOLTAR=Retornar&GXState=%7B%22_EventName%22%3A%22E'VISUALIZADADOS'.%22%2C%22_EventGridId%22%3A44%2C%22_EventRowId%22%3Aundefined%2C%22nRC_Duplicados%22%3A%220%22%2C%22CAPTCHA1_Reloadimagetext%22%3A%22Obter%20nova%20imagem!%22%2C%22CAPTCHA1_Validationresult%22%3A1%2C%22GX_FocusControl%22%3A%22vNUMDOC%22%2C%22GX_AJAX_KEY%22%3A%2264FFFF0AFF7A4DFF2655FFFFFF26FF77%22%2C%22AJAX_SECURITY_TOKEN%22%3A%221a9634f566dcd40d12bb8146fd7ff6edca12ae737a3743d79b4b826c3bd4a604%22%2C%22GX_CMP_OBJS%22%3A%7B%7D%2C%22sCallerURL%22%3A%22%2Fsefazonline%2Fservlet%2Fhpfsindado%3FeTlFtl5mBgEOtpLCt8Q02bMjmN3K93hV7i2Uxq_rHv0%3D%22%2C%22GX_RES_PROVIDER%22%3A%22com.genexus.webpanels.GXResourceProvider%22%2C%22GX_THEME%22%3A%22GeneXusX%22%2C%22_MODE%22%3A%22%22%2C%22Mode%22%3A%22%22%2C%22IsModified%22%3A%221%22%2C%22MESSAGE_Width%22%3A%22100%22%2C%22MESSAGE_Height%22%3A%22100%22%2C%22MESSAGE_Show%22%3A%22false%22%2C%22MESSAGE_Title%22%3A%22Title%22%2C%22MESSAGE_Message%22%3A%22This%20is%20the%20message%22%2C%22MESSAGE_Type%22%3A%22alert%22%2C%22MESSAGE_Icon%22%3A%22info%22%2C%22MESSAGE_Cls%22%3A%22%22%2C%22MESSAGE_Position%22%3A%22t%22%2C%22MESSAGE_Duration%22%3A1%2C%22MESSAGE_Visible%22%3A1%2C%22CAPTCHA1_Width%22%3A%22140%22%2C%22CAPTCHA1_Height%22%3A%2239%22%2C%22CAPTCHA1_Visible%22%3A1%7D&
Question:
How do i actually replicate/add this parameter to my webrequest via code ?
Is there any way to do so ?
By the way, the site messes alot with scripts which was hard to "figure out" the origin from most parameters used on the requests.
I hope someone might help me out.
Thanks in advance.
I've figured out.
The problem was that i've had to add a custom header to each request.
webRequest.Headers.Add ("customheadertext and value");
Now fiddler shows correctly my new request, with the added header
POST http://sefaznet.ac.gov.br/sefazonline/servlet/hpfsincon?0898a16d81a4e94896958b17b52f252d,gx-no-cache=1354721123208 HTTP/1.1
GxAjaxRequest: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Referer: http://sefaznet.ac.gov.br/sefazonline/servlet/hpfsincon
Host: sefaznet.ac.gov.br
Cookie: GX_SESSION_ID=B8w8AQ4W%2FLzLHIpBor3JwJDQAWGy1xRqCYUMnzF14Yk%3D; JSESSIONID=c19564cbebfab1911442fd64a0bb
Content-Length: 1291
Expect: 100-continue
Accept-Encoding: gzip, deflate