Penetration Testing mailing list archives
Re: Pen-tester's analysis of .NET security?
From: Jeff Bryner <jbryner1 () yahoo com>
Date: Wed, 24 Mar 2004 15:59:03 -0800 (PST)
--- Frank Knobbe wrote:
However, even if ADODB and ODBC functions filter quotes, they do not filter <, >, and other HTML entities, causing XSS issues all over the place. So, saying ASP.NET does input validation seems to be a misleading statement.
ADODB doesn't but .net 1.1 does filter for CSS input. Code up a basic page and enter <scrip in a text box and you'll trigger a HttpRequestValidationException Here's the closest 'white papers' I've found on the input validation: Inside the 'new' validate: http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx (Interesting to note what it doesn't check: Headers and ServerVariables) Flaw in it from last year: http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx http://www.securityfocus.com/bid/8562/discussion What's not to like about default css validation: http://www.mostlylucid.co.uk/posts/864.aspx How to code your own validator in .net 1.0: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/scriptingprotection.asp ===== Jeff ----------------------- You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!? - Justin Simoni __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- <Possible follow-ups>
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)
- RE: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 25)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)