Penetration Testing mailing list archives
RE: Pen-tester's analysis of .NET security?
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Thu, 25 Mar 2004 09:23:11 -0500
Actually, I believe .NET does convert the naughty strings to safe representations that are not interpreted as HTML by the browser, in the body anyway... However, it does *not* do this in the headers - esp. the "Location:" header. But how difficult is this to exploit in the real world? Mark Lachniet
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Wednesday, March 24, 2004 7:28 PM To: jeff () jeffbryner com Cc: Lachniet, Mark; pen-test () securityfocus com Subject: Re: Pen-tester's analysis of .NET security? On Wed, 2004-03-24 at 17:59, Jeff Bryner wrote:ADODB doesn't but .net 1.1 does filter for CSS input. Codeup a basicpage and enter <scrip in a text box and you'll trigger a HttpRequestValidationExceptionI see. So it checks at request time when you use HttpRequest. (Sorry, I had my mind on the database facing side :) But isn't that all it does? I mean, you are still left with converting the content of the caught string yourself, using HTMLEncode or similar. In other words, all it does is detect that dangerous characters are present. It doesn't protect you by converting them. Which means you are still left to do the conversion (and space trimming, and cutting to maxlength....) yourself... Regards, Frank
--------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Re: Pen-tester's analysis of .NET security?, (continued)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)
- RE: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 25)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)