Penetration Testing mailing list archives
RE: Pen-tester's analysis of .NET security?
From: "Joel Friedman" <jfriedman () datapipe com>
Date: Wed, 24 Mar 2004 20:53:20 -0500
Here is an excerpted copy of an email correspondence I had with Dinis Cruz, .Net Security Consultant Thank you for interest in our Asp.Net security Research. I have compiled most of our Asp.Net content (including the security guides) in an unpublished paper called "Undocumented Asp.Net Security" (110 pages): ... * You can download it from here: http://www.ddplus.net/projects/Undocumented_ASP.NET_Security_V0.91.zip Because you need to ensure the security and resilience of your web servers, I would call your attention to the Asp.Net Security Analyzer (ANSA) web application, created and developed by us. ANSA has been donated to the OWASP (Open Web Application Security Project), and we are now active members on their DotNet developed efforts. * Main OWASP DotNet page: http://www.owasp.org/dotnet ... Joel Friedman, CISSP -----Original Message----- From: Lachniet, Mark [mailto:mlachniet () sequoianet com] Sent: Wednesday, March 24, 2004 2:48 PM To: pen-test () securityfocus com Subject: Pen-tester's analysis of .NET security? Is anyone aware of a whitepaper or analysis of the security features (and weaknesses?) of Microsoft's .NET platform for web applications? A number of interesting features, such as input validation and session tracking, are built into .NET, and I'd be interested to hear if anyone has kicked it around much. Please note, I am *not* interested in references to Microsoft documentation, developer web sites, or conventional information sources, but rather information from the viewpoint of a pen-tester doing web application security analysis work. Thank you in advance, Mark Lachniet ------------------------------------------------------------------------ --- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- <Possible follow-ups>
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)
- RE: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 25)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)