Re: Pen-tester's analysis of .NET security?

[Frank Knobbe <frank () knobbe us>]

On Wed, 2004-03-24 at 13:47, Lachniet, Mark wrote:
> Is anyone aware of a whitepaper or analysis of the security features
> (and weaknesses?) of Microsoft's .NET platform for web applications?  A
> number of interesting features, such as input validation and session
> tracking, are built into .NET, and I'd be interested to hear if anyone
> has kicked it around much.

Can't help with white papers, but while doing reviews of sites "powered
by ASP.NET" I noticed that these mostly use ADODB connections which does
escape quotes. I guess the potential is still there to write code that
uses ODBC type queries where you can shoot yourself in the foot with. 

However, even if ADODB and ODBC functions filter quotes, they do not
filter <, >, and other HTML entities, causing XSS issues all over the
place. So, saying ASP.NET does input validation seems to be a misleading
statement.
(And session tracking has been around for a while now... not sure what
they mean by that.... Yeah, ASPSESSIONID looks different these days,
but... the point?)


In my opinion, the web developers (as well as the db guys in the back)
still have the duty to perform input validation themselves, and not
trust claims that an OS vendor throws out in marketing materials. Also,
proper length checking should be done there as well.

Regards,
<%=strleft(htmlentities(trim(request("Frank"))),50)%>

Attachment: signature.asc
Description: This is a digitally signed message part