Penetration Testing mailing list archives
Re: Injection attacks in ASPX/ASP.NET applications
From: "Wagner Elias" <wagner.elias () gmail com>
Date: Thu, 4 Sep 2008 08:29:52 -0300
Hello All, a good tool for analysis is the Burp Suite. Recently the blog wrote about a failed validation of parameters in aspx. Burp Suite http://portswigger.net/suite Attacking Parameter Names http://blog.portswigger.net/2008/08/attacking-parameter-names.html -- Att. Wagner Elias http://wagnerelias.com On Tue, Sep 2, 2008 at 9:54 PM, silky <michaelslists () gmail com> wrote:
On Tue, Sep 2, 2008 at 12:49 PM, Wong Yu Liang <wong.yuliang () vads com> wrote:Correct me if I'm wrong, 1. asp & asp.net are different. 2. aspx by default does not displays error messages by default which makes sql injection harderhardly makes it harder by any real margin. in aspx land you should either be using an o/r mapper or at least SqlCommand and SqlParameters; and when used properly and typed life is good and you are safe from s4. having some background on asp , it's whole different thing than asp.net. By default a lot of asp.net feature made it more secured. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Baykal, Adnan (CSCIC) Sent: Sunday, August 31, 2008 5:34 AM To: Morning Wood; Nikhil Wagholikar; pen-test Subject: RE: Injection attacks in ASPX/ASP.NET applications I agree with Wood on his statement. how can we forget about the latest automated sql injection attack on the internet that targeted asp pages and successfully injected malicious scripts into over 500,000 websites. Now there is something to say about that... asp apps are not any more secure than other apps on the web. -------------------------------------------------------- This message may contain confidential information and is intended only for the individual(s) named. If you are not an intended recipient you are not authorized to disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. ________________________________ From: listbounce () securityfocus com on behalf of Morning Wood Sent: Sat 8/30/2008 3:33 PM To: Nikhil Wagholikar; pen-test Subject: Re: Injection attacks in ASPX/ASP.NET applications any common sql injection tool will make mincemeat out of most asp/aspx sites. I really dont know how you can say ASP is so secure, as it has not been my experience as a penetration expert. try to google "login" "filetype:asp" go to a login page, enterr a valid username and 'OR' as the password... i say 20% of all asp sites are vulnerable to this simple sql injection technique. simply dont know how you can make a statement as this. ----- Original Message ----- From: "Nikhil Wagholikar" <visitnikhil () gmail com> To: "pen-test" <pen-test () securityfocus com> Sent: Friday, August 29, 2008 11:51 AM Subject: Injection attacks in ASPX/ASP.NET applicationsHello All, Now-a-days lots of websites/web based application are developed in ASP.NET. ASP.NET implementation is considered to be one of the most secured implementation of all technologies currently available in the market. One of the reasons for this is ASP.NET's built-in powerful security feature, which doesn't execute any malicious inputs from the client. It would be great, if anyone could share their experience about hacking into an ASP.NET (basically ASPX) application through "Injection" vulnerabilities/attacks. Basically I wish to hear your views on: 1. What are the problems with ASP.NET built-in feature? (like <customErrors mode="Off"> by default). 2. What input can be given, that can easily/guaranteed by-pass ASP.NET's built-in security feature? (Ex: SQL Injection is still possible in ASPX even when ValidateRequest="true" is present) 3. Is there any tool specially developed for finding vulnerabilities in ASP.NET application from penetration testing/vulnerability assessment point of view? 4. Any free tool and thorough methodology, that could help one in doing source code audit/review of ASP.NET (ASPX) application? (I know one tool to be scancode.py) Thanks in advance. --- Nikhil Wagholikar Practice Lead | Security Assessment and Digital Forensics NII Consulting Web: http://www.niiconsulting.com/ Security Product: http://www.niiconsulting.com/Products.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ DISCLAIMER This message may contain confidential and privileged information for its intended recipient(s) only. If you are not an intended recipient, you are hereby notified that any review, dissemination and distribution, printing or copying of this message or any part thereof is strictly prohibited. Please delete the entire message and inform the sender of the error. Any opinions, conclusions and other information in this message that are unrelated to the official business of VADS Berhad are those of the individual sender and shall be understood as neither explicitly given nor endorsed by VADS Berhad. VADS Berhad does not authorise any of its employees to make any defamatory or seditious statements which is contrary to the laws of Malaysia. Any such communications by such employees are outside their scope of employment and VADS Berhad shall not be liable for such communications. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar -------------------------------------------------------------------------- noon silky http://www.themonkeynet.com/armada/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 02)
- <Possible follow-ups>
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Krugger (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications David Howe (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Wong Yu Liang (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Pennington, Coby (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications silky (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Wagner Elias (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Jorge L. Vazquez (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications FF (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Marco Ivaldi (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Romain Gaucher (Sep 04)