Penetration Testing mailing list archives
RE: Pen-tester's analysis of .NET security?
From: "Dinis Cruz" <dinis () ddplus net>
Date: Thu, 25 Mar 2004 23:39:32 -0000
Hello Mark How are you approaching your penetration tests? a) purely from the outside (emulating external attacks) or b) also from the inside (i.e. internal attacks launched from other websites co-hosted in the same server) In the a) case (Pen-test from the outside) I would look at these vulnerabilities: - Input validation issues (as noted by most previous comments to this thread) - Defense in depth issues (i.e. does the site has a multi-layer security system). I have found that most web applications don’t perform 'stack-walks' (to use a .Net term) when executing administrative commands. They assume that all requests that they receive are valid and don't check if the user making the request has privileges to do so (they rely on the client not having the option to make those requests). To exploit these vulnerabilities all you need to do is to resend the administrative requests (via the implemented method: Get, Post or SOAP) under an anonymous account or under a normal user account (I hope this explanation makes sense to you) If you are also doing b) tests (from the inside) you basically want to check how securely configured is the server and again how many layers exist in their security system. You can use the ANSA tool that we developed at Owasp (see http://www.owasp.org and http://domain444037.sites.fasthosts.com/) to see how the server is configured. Also check out the unpublished "Undocumented Asp.Net Security" document that I wrote and that Joel Friedman kindly provided the link (see bellow) for more details about security vulnerabilities in Asp.Net. In this scenario (multi-websites hosted in same server) it really comes down to this: What is the level of trust used by the hosted websites? Any website that is running with Full Trust (default configuration) can be used to compromise the server and access the data from the other co-located websites. Of course that the other area that you need to look at is the server's own security. That is, how protected is the server from external and internal attacks (attacks from other computers located in the same local network) If you haven't done so already I would invite you to check the work that OWASP is doing besides the ANSA and other security related tools there are two projects that you might be very interested in: - "OWASP Testing Document" document - "OWASP web application penetration testing" checklist See http://sourceforge.net/mailarchive/forum.php?forum_id=12589 for more details. Hope this helps Best regards Dinis Cruz .Net Security Consultant DDPlus (www.ddplus.net)
-----Original Message----- From: Joel Friedman [mailto:jfriedman () datapipe com] Sent: 25 March 2004 01:53 To: pen-test () securityfocus com Subject: RE: Pen-tester's analysis of .NET security? Here is an excerpted copy of an email correspondence I had with Dinis Cruz, .Net Security Consultant Thank you for interest in our Asp.Net security Research. I have
compiled
most of our Asp.Net content (including the security guides) in an unpublished paper called "Undocumented Asp.Net Security" (110 pages): ... * You can download it from here: http://www.ddplus.net/projects/Undocumented_ASP.NET_Security_V0.91.zip Because you need to ensure the security and resilience of your web servers, I would call your attention to the Asp.Net Security Analyzer (ANSA) web application, created and developed by us. ANSA has been donated to the OWASP (Open Web Application Security Project), and we are now active members on their DotNet developed efforts. * Main OWASP DotNet page: http://www.owasp.org/dotnet ... Joel Friedman, CISSP -----Original Message----- From: Lachniet, Mark [mailto:mlachniet () sequoianet com] Sent: Wednesday, March 24, 2004 2:48 PM To: pen-test () securityfocus com Subject: Pen-tester's analysis of .NET security? Is anyone aware of a whitepaper or analysis of the security features (and weaknesses?) of Microsoft's .NET platform for web applications?
A
number of interesting features, such as input validation and session tracking, are built into .NET, and I'd be interested to hear if anyone has kicked it around much. Please note, I am *not* interested in references to Microsoft documentation, developer web sites, or conventional information
sources,
but rather information from the viewpoint of a pen-tester doing web application security analysis work. Thank you in advance, Mark Lachniet
------------------------------------------------------------------------
--- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1
------------------------------------------------------------------------
----
------------------------------------------------------------------------ --
- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1
------------------------------------------------------------------------ --
-- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.634 / Virus Database: 406 - Release Date: 18/03/2004
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.634 / Virus Database: 406 - Release Date: 18/03/2004 --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- Re: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 24)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 25)
- Re: Pen-tester's analysis of .NET security? H D Moore (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- RE: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 26)
- Re: Pen-tester's analysis of .NET security? dd (Mar 26)
- RE: Pen-tester's analysis of .NET security? Dominick Baier (Mar 26)
- Re: Pen-tester's analysis of .NET security? Frank Knobbe (Mar 24)
- <Possible follow-ups>
- RE: Pen-tester's analysis of .NET security? Joel Friedman (Mar 25)
- RE: Pen-tester's analysis of .NET security? Dinis Cruz (Mar 26)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)
- RE: Pen-tester's analysis of .NET security? Jeff Bryner (Mar 25)
- RE: Pen-tester's analysis of .NET security? Lachniet, Mark (Mar 25)