.NET Framework Cookieless Feature XSS.
Let‘s Start Our Story,
I had worked in RedBull Bug Bounty Program At intigriti .
I reported 4 XSS at Redbull but One Of them Was different and new for me.
The Vulnerable Subdomain: liveblogat.redbull.com
works with .Net Framework.
I found this Endpoint /Unique_id /AllEvents.aspx
tried to reflect Special characters like “ ‘ )( and they reflected in the response
I tried many payloads but all of them are useless.
After Some Search, I had Found This Blog and understand the flow of the request.
‘’ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page’s URL. For example, the following URL has been modified by ASP.NET to include the unique ID lit3py55t21z5v55vlm25s55:
The default value of
SessionStateSection.Cookieless property is
AutoDetect which – for modern browsers – is equivalent to storing session IDs in a Cookie header (instead of putting it in a URL). But even explicitly forcing ASP.NET to disable cookieless feature (setting
cookieless parameter to
UseCookies in web.config) doesn't mean that ASP.NET will return any error for URLs with cookieless identifiers.
All this means that accessing
http://localhost/(A(ABCD))/default.aspx will bring the same result as accessing
ResolveUrl will happily add these identifiers to the resolved path!
Let’s take a quick peek at the documentation:
if your application relies on cookieless sessions or might receive requests from mobile browsers that require cookieless sessions, using a tilde (“~”) in a path can result in inadvertently creating a new session and potentially losing session data .
(A(ABCD)) string is added to the Script.js path:
The same occurs when accessing:
As I promised you before, and as you can see now, we have the control over URI path!
And all this control leads us to an XSS:
Thank you for reading
wait for the best.