ASP.Net XSS – How does this vulnerability work


I have been tasked with fixing a XSS issue in an ASP.Net application, but I have never seen this kind of attack before so first it would be great if I could understand how this is working and then I need some help because I haven’t been able to fix it.

The attack goes like so:

https://example.com/AnyPageInTheApplication.aspx/(A('onerror='alert%601%60'testabcd))/ 

When I look at the network tab in Chrome’s dev tools I see that the request has been hijacked by the last section of the URL and the alert shows up, but I do not know how this is working. An explanation would be greatly appreciated.

To fix it I first looked at the application web.config file and I saw that the validateRequest switch is disabled so I changed it to true and the vulnerability is still there.

The application is really large and according to some documentation on it, apparently they disabled the validateRequest switch because it is supposed to be handled on the server by some backend code, obviously not working, and I am still to find out what are the reasons for this application to be designed this way (I’m very new to the company).

This issue begs a few questions:

  • Why would enabling the validateRequest switch does not fix the issue?
  • Where else could I look for the potential problem?
  • Is there an alternative to fix this vulnerability other than validateRequest?