Re: Pen-tester's analysis of .NET security?

[Jeff Bryner <jbryner1 () yahoo com>]

--- Frank Knobbe wrote:
> However, even if ADODB and ODBC functions filter quotes, they do not
> filter <, >, and other HTML entities, causing XSS issues all over the
> place. So, saying ASP.NET does input validation seems to be a
> misleading
> statement.
ADODB doesn't but .net 1.1 does filter for CSS input. Code up a basic
page and enter <scrip in a text box and you'll trigger a
HttpRequestValidationException 

Here's the closest 'white papers' I've found on the input validation: 

Inside the 'new' validate: 
http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx
(Interesting to note what it doesn't check: Headers and
ServerVariables)

Flaw in it from last year: 
http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx
http://www.securityfocus.com/bid/8562/discussion

What's not to like about default css validation: 
http://www.mostlylucid.co.uk/posts/864.aspx

How to code your own validator in .net 1.0:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/scriptingprotection.asp




=====
Jeff
-----------------------
You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!? 

- Justin Simoni

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------