RE: Injection attacks in ASPX/ASP.NET applications

["Pennington, Coby" <Coby.Pennington () SPR DOE GOV>]

Yes, ASP.NET and ASP aren't even similar technologies.  Filetype:asp !=
filetype:aspx.  By default there are many more protections in ASP.NET
that would have to be disabled for it to function like asp.  That's not
an endorsement of ASP.NET, as any web technology can be developed in an
insecure manner.

Unfortunately, I'm not aware of a free tool for assessing ASP.NET
applications specifally.

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Wong Yu Liang
Sent: Monday, September 01, 2008 9:50 PM
To: Baykal, Adnan (CSCIC); Morning Wood; Nikhil Wagholikar; pen-test
Subject: RE: Injection attacks in ASPX/ASP.NET applications


Correct me if I'm wrong,

1. asp & asp.net are different.

2. aspx by default does not displays error messages by default which
makes sql injection harder

4. having some background on asp , it's whole different thing than
asp.net.
By default a lot of asp.net feature made it more secured.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Baykal, Adnan (CSCIC)
Sent: Sunday, August 31, 2008 5:34 AM
To: Morning Wood; Nikhil Wagholikar; pen-test
Subject: RE: Injection attacks in ASPX/ASP.NET applications

I agree with Wood on his statement. how can we forget about the latest
automated sql injection attack on the internet that targeted asp pages
and successfully injected malicious scripts into over 500,000 websites.
Now there is something to say about that... asp apps are not any more
secure than other apps on the web.


--------------------------------------------------------

This message may contain confidential information and is intended only
for the individual(s) named.  If you are not an intended recipient you
are not authorized to disseminate, distribute or copy this e-mail.
Please notify the sender immediately if you have received this e-mail by
mistake and delete this e-mail from your system.
________________________________


From: listbounce () securityfocus com on behalf of Morning Wood
Sent: Sat 8/30/2008 3:33 PM
To: Nikhil Wagholikar; pen-test
Subject: Re: Injection attacks in ASPX/ASP.NET applications



any common sql injection tool will make mincemeat out of most asp/aspx
sites.
 I really dont know how you can say ASP is so secure,  as it has not
been my experience as a penetration expert.

try to google "login" "filetype:asp"  go to a login page, enterr a valid
username and 'OR' as the password... i say 20% of all asp sites are
vulnerable to this simple sql injection technique.

simply dont know how you can make a statement as this.



----- Original Message -----
From: "Nikhil Wagholikar" <visitnikhil () gmail com>
To: "pen-test" <pen-test () securityfocus com>
Sent: Friday, August 29, 2008 11:51 AM
Subject: Injection attacks in ASPX/ASP.NET applications


> Hello All,
>
> Now-a-days lots of websites/web based application are developed in 
> ASP.NET. ASP.NET implementation is considered to be one of the most 
> secured implementation of all technologies currently available in the 
> market. One of the reasons for this is ASP.NET's built-in powerful 
> security feature, which doesn't execute any malicious inputs from the 
> client.
>
> It would be great, if anyone could share their experience about 
> hacking into an ASP.NET (basically ASPX) application through 
> "Injection" vulnerabilities/attacks.
>
> Basically I wish to hear your views on:
>
> 1. What are the problems with ASP.NET built-in feature? (like 
> <customErrors mode="Off"> by default).
> 2. What input can be given, that can easily/guaranteed by-pass 
> ASP.NET's built-in security feature? (Ex: SQL Injection is still 
> possible in ASPX even when ValidateRequest="true" is present) 3. Is 
> there any tool specially developed for finding vulnerabilities in 
> ASP.NET application from penetration testing/vulnerability assessment 
> point of view?
> 4. Any free tool and thorough methodology, that could help one in 
> doing source code audit/review of ASP.NET (ASPX) application? (I know 
> one tool to be scancode.py)
>
> Thanks in advance.
>
> ---
> Nikhil Wagholikar
> Practice Lead | Security Assessment and Digital Forensics NII 
> Consulting
> Web: http://www.niiconsulting.com/
> Security Product: http://www.niiconsulting.com/Products.html
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ----------------------------------------------------------------------
> --


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


DISCLAIMER
This message may contain confidential and privileged information for its
intended recipient(s) only. If you are not an intended recipient, you
are hereby notified that any review, dissemination and distribution,
printing or copying of this message or any part thereof is strictly
prohibited. Please delete the entire message and inform the sender of
the error. Any opinions, conclusions and other information in this
message that are unrelated to the official business of VADS Berhad are
those of the individual sender and shall be understood as neither
explicitly given nor endorsed by VADS Berhad. VADS Berhad does not
authorise any of its employees to make any defamatory or seditious
statements which is contrary to the laws of Malaysia. Any such
communications by such employees are outside their scope of employment
and VADS Berhad shall not be liable for such communications.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------