.NET Framework Cookieless Feature XSS.
Hello Everyone,
Let‘s Start Our Story,
I had worked in RedBull Bug Bounty Program At intigriti .
I reported 4 XSS at Redbull but One Of them Was different and new for me.
The Vulnerable Subdomain: liveblogat.redbull.com
works with .Net Framework.
I found this Endpoint /Unique_id /AllEvents.aspx
tried to reflect Special characters like “ ‘ )( and they reflected in the response
I tried many payloads but all of them are useless.
After Some Search, I had Found This Blog and understand the flow of the request.
‘’ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page’s URL. For example, the following URL has been modified by ASP.NET to include the unique ID lit3py55t21z5v55vlm25s55:http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx‘’
The default value of SessionStateSection.Cookieless property is AutoDetect which – for modern browsers – is equivalent to storing session IDs in a Cookie header (instead of putting it in a URL). But even explicitly forcing ASP.NET to disable cookieless feature (setting cookieless parameter to UseCookies in web.config) doesn't mean that ASP.NET will return any error for URLs with cookieless identifiers.
All this means that accessing http://localhost/(A(ABCD))/default.aspx will bring the same result as accessing http://localhost/default.aspx.
Moreover, even ResolveUrl will happily add these identifiers to the resolved path!
Let’s take a quick peek at the documentation:
if your application relies on cookieless sessions or might receive requests from mobile browsers that require cookieless sessions, using a tilde (“~”) in a path can result in inadvertently creating a new session and potentially losing session data .
When opening http://localhost/(A(ABCD))/A/B/C/default.aspx the (A(ABCD)) string is added to the Script.js path:
<script src="/(A(ABCD))/Script.js"></script>The same occurs when accessing: http://localhost/A/B/C/(A(ABCD))/default.aspx:
<script src="/(A(ABCD))/Script.js"></script>As I promised you before, and as you can see now, we have the control over URI path!
And all this control leads us to an XSS:
http://liveblogat.redbull.com/(A(%22onerror=%22alert%601%60%22))/AllEvents.aspx
Thank you for reading
wait for the best.
