Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Injection attacks in ASPX/ASP.NET applications

From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Mon, 01 Sep 2008 12:43:27 +0100
Serg B wrote:

I was under the impression that an SQL injection is a flaw based on
individuals programming ability and not the language it self.

To me, what you are saying sounds like: a car model X is crap because
the driver crashed it into a tree.


.. by setting "autocruse" and letting go of the wheel to answer his phone.
ASP.net is no more or less secure than almost any other server-side executable; almost invariably though, someone comes along trying to tout their (usually platform specific or proprietary) language du-jour as the most secure ever because.... when in fact it could possibly offer some security advantages over another language (less buffer overflows in standard library functions, for example) but you can still write insecure code in it more easily than secure code.
That said, a language that is inherently secure *is* possible, but nobody would ever use it as the limitations would be too great (no file system access under any circumstances, no IP connectivity other than via the query/response channel in the webserver, and so forth) 

------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in Securing Web Applications 
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: