RE: Pen-tester's analysis of .NET security?

["Lachniet, Mark" <mlachniet () sequoianet com>]

Actually, I believe .NET does convert the naughty strings to safe
representations that are not interpreted as HTML by the browser, in the
body anyway...

However, it does *not* do this in the headers - esp. the "Location:"
header.  But how difficult is this to exploit in the real world?

Mark Lachniet

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us] 
> Sent: Wednesday, March 24, 2004 7:28 PM
> To: jeff () jeffbryner com
> Cc: Lachniet, Mark; pen-test () securityfocus com
> Subject: Re: Pen-tester's analysis of .NET security?
>
> On Wed, 2004-03-24 at 17:59, Jeff Bryner wrote:
> > ADODB doesn't but .net 1.1 does filter for CSS input. Code 
> up a basic 
> > page and enter <scrip in a text box and you'll trigger a 
> > HttpRequestValidationException
>
> I see. So it checks at request time when you use HttpRequest. 
> (Sorry, I had my mind on the database facing side :)
>
> But isn't that all it does? I mean, you are still left with 
> converting the content of the caught string yourself, using 
> HTMLEncode or similar.
> In other words, all it does is detect that dangerous 
> characters are present. It doesn't protect you by converting them.
>
> Which means you are still left to do the conversion (and 
> space trimming, and cutting to maxlength....) yourself...
>
> Regards,
> Frank

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------