# Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)

### # Details

An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the '\<meta http-equiv="refresh"' in the WebSocket messages.

<pre><code># Exploit Title: Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://aspnetzero.com/
# Software Link: https://aspnetzero.com/
# Version: Asp.Net Zero &#x3C; v12.3.0

# Proof Of Concept
As a concept, messages are transmitted with websockets. A user can redirect the victim user to an arbitrary URL through a message.
<strong>1. Send following as message to targeted online user:
</strong>
&#x3C;META HTTP-EQUIV="refresh" »
CONTENT="0;url=https://target-url/">

2. The redirection is triggered without interaction when the message sent by the attacker appears on the victim user's dashboard.

</code></pre>

### # Proof Of Concept

{% embed url="<https://github.com/passtheticket/vulnerability-research/blob/main/aspnetzero_html_injection_via_websockets_messages.md>" %}