Penetration Testing mailing list archives

Re: Injection attacks in ASPX/ASP.NET applications

From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Sat, 30 Aug 2008 12:33:09 -0700

any common sql injection tool will make mincemeat out of most asp/aspxsites.

I really dont know how you can say ASP is so secure,
as it has not been my experience as a penetration expert.

try to google "login" "filetype:asp" go to a login page, enterr a validusername and 'OR' as the password... i say 20% of all asp sites arevulnerable to this simple sql injection technique.


simply dont know how you can make a statement as this.

----- Original Message -----From: "Nikhil Wagholikar" <visitnikhil () gmail com>

To: "pen-test" <pen-test () securityfocus com>
Sent: Friday, August 29, 2008 11:51 AM
Subject: Injection attacks in ASPX/ASP.NET applications

Hello All,

Now-a-days lots of websites/web based application are developed in
ASP.NET. ASP.NET implementation is considered to be one of the most
secured implementation of all technologies currently available in the
market. One of the reasons for this is ASP.NET's built-in powerful
security feature, which doesn't execute any malicious inputs from the
client.

It would be great, if anyone could share their experience about
hacking into an ASP.NET (basically ASPX) application through
"Injection" vulnerabilities/attacks.

Basically I wish to hear your views on:

1. What are the problems with ASP.NET built-in feature? (like
<customErrors mode="Off"> by default).
2. What input can be given, that can easily/guaranteed by-pass
ASP.NET's built-in security feature? (Ex: SQL Injection is still
possible in ASPX even when ValidateRequest="true" is present)
3. Is there any tool specially developed for finding vulnerabilities
in ASP.NET application from penetration testing/vulnerability
assessment point of view?
4. Any free tool and thorough methodology, that could help one in
doing source code audit/review of ASP.NET (ASPX) application? (I know
one tool to be scancode.py)

Thanks in advance.

---
Nikhil Wagholikar
Practice Lead | Security Assessment and Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Product: http://www.niiconsulting.com/Products.html

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes inSecuring Web Applications

Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Injection attacks in ASPX/ASP.NET applications Nikhil Wagholikar (Aug 29)
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Aug 30)
  - RE: Injection attacks in ASPX/ASP.NET applications Baykal, Adnan (CSCIC) (Aug 30)
  - Re: Injection attacks in ASPX/ASP.NET applications Serg B (Aug 30)