Penetration Testing mailing list archives
Re: Injection attacks in ASPX/ASP.NET applications
From: Krugger <merc4krugger () gmail com>
Date: Tue, 2 Sep 2008 11:24:53 +0100
Hi, I have very limited experience with ASP.NET, but just a few days ago I came across one of these applications. As others have said seems very green people are writing code these days. LDAP injection is likely on AD queries for auth as well as SQL injection as the user input is directly added to SQL statements without any kind of checks. The validate request allow for some XSS protection as it will give an error when passed unencoded html tags as input. Don't think it also covers SQL injection. For SQL injection prevention you should consider using something like prepared statements. Lookup SqlDataAdapter and pass parameters to the query. Krugger ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 02)
- <Possible follow-ups>
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Krugger (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications David Howe (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Wong Yu Liang (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Pennington, Coby (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications silky (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Wagner Elias (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Jorge L. Vazquez (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications FF (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Marco Ivaldi (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Romain Gaucher (Sep 04)