ASP.NET application testing

[Derek Fountain <derekfountain () yahoo co uk>]

Has anyone read, or written, any decent papers of testing ASP.NET 
applications? I'm interested in the weaknesses typically found in them.

I don't mean the Microsoft classes, as such. They're probably pretty 
tight these days and if any holes are found in them they'll be closed 
quickly.

No, I'm thinking about what mistakes developers tend to make that leave 
exploitable holes in their applications. What do ASP.NET developers do 
that leads to SQL injection? Is there a common weakness that leads to 
remote file inclusion? Or XSS?

My assumption is that any application that has been created using the 
drag 'n' drop approach in Visual Studio, and hence composes of machine 
generated declarative syntax, is likely to be pretty sound. Visual 
Studio is unlikely to generate insecure code by default. So when 
developers step outside the cosy framework, where do they go wrong?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------