Penetration Testing mailing list archives
Re: Pen-tester's analysis of .NET security?
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 24 Mar 2004 15:39:21 -0600
On Wed, 2004-03-24 at 13:47, Lachniet, Mark wrote:
Is anyone aware of a whitepaper or analysis of the security features (and weaknesses?) of Microsoft's .NET platform for web applications? A number of interesting features, such as input validation and session tracking, are built into .NET, and I'd be interested to hear if anyone has kicked it around much.
Can't help with white papers, but while doing reviews of sites "powered by ASP.NET" I noticed that these mostly use ADODB connections which does escape quotes. I guess the potential is still there to write code that uses ODBC type queries where you can shoot yourself in the foot with. However, even if ADODB and ODBC functions filter quotes, they do not filter <, >, and other HTML entities, causing XSS issues all over the place. So, saying ASP.NET does input validation seems to be a misleading statement. (And session tracking has been around for a while now... not sure what they mean by that.... Yeah, ASPSESSIONID looks different these days, but... the point?) In my opinion, the web developers (as well as the db guys in the back) still have the duty to perform input validation themselves, and not trust claims that an OS vendor throws out in marketing materials. Also, proper length checking should be done there as well. Regards, <%=strleft(htmlentities(trim(request("Frank"))),50)%>
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- <Possible follow-ups>
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)