Penetration Testing mailing list archives
Injection attacks in ASPX/ASP.NET applications
From: "Nikhil Wagholikar" <visitnikhil () gmail com>
Date: Sat, 30 Aug 2008 00:21:38 +0530
Hello All, Now-a-days lots of websites/web based application are developed in ASP.NET. ASP.NET implementation is considered to be one of the most secured implementation of all technologies currently available in the market. One of the reasons for this is ASP.NET's built-in powerful security feature, which doesn't execute any malicious inputs from the client. It would be great, if anyone could share their experience about hacking into an ASP.NET (basically ASPX) application through "Injection" vulnerabilities/attacks. Basically I wish to hear your views on: 1. What are the problems with ASP.NET built-in feature? (like <customErrors mode="Off"> by default). 2. What input can be given, that can easily/guaranteed by-pass ASP.NET's built-in security feature? (Ex: SQL Injection is still possible in ASPX even when ValidateRequest="true" is present) 3. Is there any tool specially developed for finding vulnerabilities in ASP.NET application from penetration testing/vulnerability assessment point of view? 4. Any free tool and thorough methodology, that could help one in doing source code audit/review of ASP.NET (ASPX) application? (I know one tool to be scancode.py) Thanks in advance. --- Nikhil Wagholikar Practice Lead | Security Assessment and Digital Forensics NII Consulting Web: http://www.niiconsulting.com/ Security Product: http://www.niiconsulting.com/Products.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Injection attacks in ASPX/ASP.NET applications Nikhil Wagholikar (Aug 29)
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Aug 30)
- RE: Injection attacks in ASPX/ASP.NET applications Baykal, Adnan (CSCIC) (Aug 30)
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Aug 30)
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Aug 30)