RE: Pen-tester's analysis of .NET security?

["Lachniet, Mark" <mlachniet () sequoianet com>]

Sorry, I wasn't being clear - what I am trying to describe is what
happens when the default .NET error trace trapping is turned on, and you
get an exception (from an XSS attack, etc.)  At this point, it will
throw up an error message stating that an XSS attack was attempted, and
reiterate the bad input you gave it, but sanitize it so its not
interpreted as HTML.  This sanitization only happens in the HTML body,
not the Location header.  

Obviously it would vary greatly depending on how its implemented, and
many people probably don't use it.

As noted in the URL given below:

----------snip--------------
 
The forgotten collections

As far as I can tell there seems to be no checking against the Headers
and ServerVariables collections. I agree these are not so 'popular' as
the previous three, but if the attempt was to offer maximum security
right out of the box I don't know why they've been excluded. Anyway, it
should be great to hear some 'official' comments on this J

Mark Lachniet

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us] 
> Sent: Thursday, March 25, 2004 12:11 PM
> To: Lachniet, Mark
> Cc: jeff () jeffbryner com
> Subject: RE: Pen-tester's analysis of .NET security?
>
> On Thu, 2004-03-25 at 08:23, Lachniet, Mark wrote:
> > Actually, I believe .NET does convert the naughty strings to safe 
> > representations that are not interpreted as HTML by the browser, in 
> > the body anyway...
> >
> > However, it does *not* do this in the headers - esp. the "Location:"
> > header.  But how difficult is this to exploit in the real world?
>
> Mark,
>
> according to the URL Jeff has referenced 
> (http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx), it 
> only validates input.
>
> Where do you think the conversion takes place? On output to 
> the browser behind the scenes? Or to we have to pipe all 
> output through a function now?
>
> The way I read that link above is that the HTTP Request 
> handler can optionally check for dangerous characters, and if 
> found, throw an error page. Or am I reading the wrong reference?
>
> Regards,
> Frank
>
>
> PS: I know it doesn't do all this automatically because the 
> webapp I've been currently looking at is run by .NET and 
> vulnerable to XSS all over the place :)

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------