Stored XSS Via Viewstate

While researching I have found that Stored XSS can be found Via Viewstate Parameter even when Viewstates Mac is Encrypted. The actual cause of this vulnerability existence is that the viewstate parameters value is not properly getting decoded on the server-side therefore any XSS payload in this paramter will get excuted and if there is any filter then it can be bypassed by converting the XSS payload in base 64 payload.

Steps to execute this attack are as following:

1. First input any random data in login page and submit it on any aspx application.

2. intercept the using burp proxy if there is any client side validation submitted request then modify the actual  viewstate parameter as shown below.

__VIEWSTATE=oJ8hAgVek8ugvqZtQ8vy9baHA1JCMeiHO0LxTIPJT0HfnQeGqLUkBqqp%2Fn%2FNhlfxnOzTZMuhKC2wyoCSHbo9pLsXD3kA8Y9fRx%2F1c8HvBHZnz3B4VkL6%2FkzBmGhZr8vEI7eTwScjrz1skp0cOJK%2Fr1dNP3Umh0jaS%2FyBkAH2Ikan9iMQBtmaLmy6m0%2BFFwA1fGgBgk60iYonO5182BdA%2FsZ8pdZnaDRPpY1q3RORFbbZ2WfZKsYhviogwsPldBOSLyOVrS9kRwU4DCDK5uE5RkgEU7ggZmxaOtSfbicezf%2BttQxsRysfMRmK%2F94r63f%2BsQxKrM2udYbpT0s%2FWiUDPmnB50oIltm1FHGm%2BYLu0PgL9RTP

to __VIEWSTATE=<scripts>alert(document.cookie)</script> the intercepted request

Also the XSS Payload <scripts>alert(document.cookie)</script> can be converted to base 64 Jmx0O3NjcmlwdHMmZ3Q7YWxlcnQoZG9jdW1lbnQuY29va2llKSZsdDsvc2NyaXB0Jmd0Ow==

3. now forward the request using burp web proxy

4. the javascript payload will execute on the client side as there the decoding of the base 64 value in viewstate parameter is not properly decoded on the server side therefore the malicious XSS payload will not be sanitized on the server side and if there is no HTTP only cookie attribute is implemented so the attacker can get all the authentication session cookies of the victim.

Or

5. using the web proxy burp we were able to inject the XSS payload and it also executed successfully after modifying and forwarding the intercept request but the interesting thing is that this payload was successfully executed using the vulnerable Viewstate parameter then this payload actually got stored in the server side and the XSS vulnerable page redirected to an error webpage with a different Url, then we copied and opened this Error page Url in another browser. As the XSS payload is stored on the server side so this XSS payload got executed again and again. So, the same attack can now be done without any web proxy like burp as the malicious XSS payload is stored on the server side and that can be reused using the error page Url which was generated after the execution of malicious XSS payload using the web proxy burp.

Malicious Url with Stored XSS Payload:

https://vulnerablesite.com/Error.aspx?parameter=vKJp31W6plKC1+MfxM3z/K6F3rbyiQeRCXHy/YbkgoBg94PMC17/UXcJIpNI9B4syvRRcsKLAdRrV3GAD9FdNYPMbeGuWK4d+PxU2rrWZJ3B8Szg283u9f71W7gw6CmRUfNG0ixyGFVsvsDAx8UEHVZ6LEfXo49SclUuUOruiHmdF99v7PtOAwd4aGDBSTB3dQX3DfgxZSr3Oiwkuf627ni0IWPU74Fqo0XTyJSXLT18H56LNeoG2F8G3CqsofnbJaMZnYD4Evu445EMpAJQZ+R9n0JV0uXHLVfh+ERAl+snQMi+CgAvv6YPWl5ygPJ45s+NLdKZXH8lkhlx2CM33dCi2AbBwci3yOAHpOFakr+Qa0V5WV8hA/b5gFcWK5WN3h0qD4zq+YqCPfMb+3V1jd86+yD5MGYLfsgUv7X8KZ8obDVRIFslWrXApYF7Nz1lDOC8PkLmulHs193yLchYDKM/Ie2uckvLGxcKflcY3RfTiQMLIDb99Z2Yp3F84VT3t0PqVa6hu37pvSj1ROuRRHsQLDCAnIizlVvfffaDfnhkLwMG5HSqac9bwp5yZX2MeZ07AIe64a/TZwcvicZsMZlI/jJ8Ul8CMIjGbihGO93E/53tnqAjHkk0Lv2jAjrsK83Q+m0yeJnvT5S3dQkVvqccfsO9DZk/i3I4vAB9y9qYCo4j3JzzAeMoydbQ20JOugn0BXPGyYtxPkih4qkYLwMjB2Yltoxj24hOCez9cGelxFI1S8iO0lnNEdasKWpFE1cE3dUcJf5SeJR/tgkAR0kU+M0Vby7SWG+Umu/8/PVXyd4BqXtJJqfi5nz2Eh94o5/kZoPjGHWDvGNuzLVCqloL3qgIxva+EqjHUzk7U17DFa34HxhcvGLUzNNzYnJhll/n4Ao1BhrTv2dIhuyeZXjEuwbA0S6YN13s3/9p6GyEvraIVSBSIPZtxXcfU/PLP4YUehqr/6R3/PWh5So4y4DlvyMepPeVd0OLnvDq+OJ3BbqhUxSDZRlJhQA3sedE+YsJ9lQFUKLUb2fBqLqyKzMDwikf0tmB5q/BOEOi5GEW+IaYVhSXJXJxtoTcpHY21ovviuZp85cXYCUqqbp044uCLMQqtqZtyxyGkL/BVY7+9pjiQrr+g8OBhpNjLfthkWVoptz/WcoRVHY7X5wZBp==

Impact:

Client-side code (like JavaScript) can be injected into the web application which is then returned to the user's browser. This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.)

Recommendation:

User inputs must be validated and filtered before being returned as part of the HTML code of a page. Don't rely on this security mechanism to protect against Cross-Site Scripting and SQL injection attacks. Make sure that proper input validation is built into web applications.