Penetration Testing mailing list archives
Re: Injection attacks in ASPX/ASP.NET applications
From: "Serg B" <sergeslists () gmail com>
Date: Tue, 2 Sep 2008 09:23:34 +1000
Devesh, fare enough, however saying that the language is insecure is just plain ignorant. It's a language - a developer can make it as secure or as insecure as possible. There is no more to that. Alternatively, using the same logic I can say that Java and C# are insecure, since I have found at least one critical issue every time I do a pen-test (happens to be my full time job). The entire statement was ignorant, there is no more to it. Although I believe the question was rephrased in an earlier email. On Mon, Sep 1, 2008 at 8:22 PM, devesh bhatt <devkpmg () gmail com> wrote:
Serg B ... yeah its in the product not in the material that is used to develope it....But still certain features in certain languages help programmers overcome these flaws Devesh On 8/31/08, Serg B <sergeslists () gmail com> wrote:I was under the impression that an SQL injection is a flaw based on individuals programming ability and not the language it self. To me, what you are saying sounds like: a car model X is crap because the driver crashed it into a tree. On Sun, Aug 31, 2008 at 5:33 AM, Morning Wood <se_cur_ity () hotmail com> wrote:any common sql injection tool will make mincemeat out of most asp/aspx sites. I really dont know how you can say ASP is so secure, as it has not been my experience as a penetration expert. try to google "login" "filetype:asp" go to a login page, enterr a valid username and 'OR' as the password... i say 20% of all asp sites are vulnerable to this simple sql injection technique. simply dont know how you can make a statement as this. ----- Original Message ----- From: "Nikhil Wagholikar" <visitnikhil () gmail com> To: "pen-test" <pen-test () securityfocus com> Sent: Friday, August 29, 2008 11:51 AM Subject: Injection attacks in ASPX/ASP.NET applicationsHello All, Now-a-days lots of websites/web based application are developed in ASP.NET. ASP.NET implementation is considered to be one of the most secured implementation of all technologies currently available in the market. One of the reasons for this is ASP.NET's built-in powerful security feature, which doesn't execute any malicious inputs from the client. It would be great, if anyone could share their experience about hacking into an ASP.NET (basically ASPX) application through "Injection" vulnerabilities/attacks. Basically I wish to hear your views on: 1. What are the problems with ASP.NET built-in feature? (like <customErrors mode="Off"> by default). 2. What input can be given, that can easily/guaranteed by-pass ASP.NET's built-in security feature? (Ex: SQL Injection is still possible in ASPX even when ValidateRequest="true" is present) 3. Is there any tool specially developed for finding vulnerabilities in ASP.NET application from penetration testing/vulnerability assessment point of view? 4. Any free tool and thorough methodology, that could help one in doing source code audit/review of ASP.NET (ASPX) application? (I know one tool to be scancode.py) Thanks in advance. --- Nikhil Wagholikar Practice Lead | Security Assessment and Digital Forensics NII Consulting Web: http://www.niiconsulting.com/ Security Product: http://www.niiconsulting.com/Products.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 02)
- <Possible follow-ups>
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Krugger (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications David Howe (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Wong Yu Liang (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Pennington, Coby (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications silky (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Wagner Elias (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Jorge L. Vazquez (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications FF (Sep 02)