Persistent XSS in miniprofiler


#1

While pen testing an internal website that is using miniprofiler, I found a persistent cross-site scripting vulnerability:

curl 'http://<victim website>/ILoveXSS?"\><script>alert(document.cookie)</script>'

Have the victim navigate to http://<victim website>/mini-profiler-resources/results or email the share URL.

I looks like the"\> is the magic that is breaking whatever sanitization is happening in miniprofiler. Playing around with variations of this tends to not land the JavaScript in the victim browser correctly.

I’m not sure what version we are running internally but I’m assuming that it’s a fairly recent release. The attack seems to require using curl to set everything up, I’m assuming that trying to use a browser to initiate the attack results in all the angle brackets and such being escaped.

Tested in Chrome and Firefox. Didn’t bother with IE.


#2

Hmmm I can not repro this in rack-mini-profiler, are you seeing this in the Ruby version or .NET one?