Penetration Testing mailing list archives
Re: Pen-tester's analysis of .NET security?
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 24 Mar 2004 17:24:12 -0600
Sorry, gotta correct myself.
Can't help with white papers, but while doing reviews of sites "powered by ASP.NET" I noticed that these mostly use ADODB connections which *MAY* escape quotes.
The web app I'm looking at currently was not vulnerable to quotes. But I just came across additional quote escaping before the command string hits the ADODB.Command object. Perhaps ADODB is still vulnerable. In either case, never trust the OS. :) -Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- <Possible follow-ups>
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)
- RE: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 25)