Penetration Testing mailing list archives
RE: Pen-tester's analysis of .NET security?
From: Jeff Bryner <jbryner1 () yahoo com>
Date: Thu, 25 Mar 2004 09:06:06 -0800 (PST)
--- "Lachniet, Mark" wrote:
Actually, I believe .NET does convert the naughty strings to safe representations that are not interpreted as HTML by the browser, in the body anyway...
I just dealt with this in an app yesterday. It doesn't do any of that automatically..you've got to catch the exception at the application (not page) level and then explicitly handle the validation exception. You can turn the validation off and then htmlencode input, but that defeats the whole purpose of the css validation check. I think this is one area where msoft has done what people have been asking for years. Turn security on by default, make it a distinct choice to take handling unsafe input on yourself and give you the tools to do it.
However, it does *not* do this in the headers - esp. the "Location:" header. But how difficult is this to exploit in the real world?
It would be interesting to try some of the caching vulnerabilities, or inject something in the server variables which also aren't checked...haven't had time yet.
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] But isn't that all it does? I mean, you are still left with converting the content of the caught string yourself, using HTMLEncode or similar.
If you try/catch the exception, otherwise your web application will barf up a server error. (it treats it as a http 500 error) i.e. if .net catches it and you don't you'll never see the string.
In other words, all it does is detect that dangerous characters are present. It doesn't protect you by converting them.
It interrupts the application on detection of dangerous strings. You've got to code specifically for receiving dangerous strings that it detects.
Which means you are still left to do the conversion (and space trimming, and cutting to maxlength....) yourself...
True, it's not a check for sql injection or buffer overflow or format string protection. Just a css validation check. Got to use those regular expressions.... ===== Jeff ----------------------- You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!? - Justin Simoni __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Re: Pen-tester's analysis of .NET security?, (continued)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)
- RE: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 25)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)