Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ASP.NET application testing

From: Ramiro Caire <ramiro.caire () gmail com>
Date: Tue, 22 Sep 2009 11:12:03 -0300
Hi Derek,

this link maybe helps you:

http://www.owasp.org/index.php/Category:OWASP_.NET_Project

There is also a book, named "Testing ASP.NET web applications" written
by John Wiley & Sons, available in UK.

Regards
Ramiro


Derek Fountain wrote:

Has anyone read, or written, any decent papers of testing ASP.NET
applications? I'm interested in the weaknesses typically found in them.

I don't mean the Microsoft classes, as such. They're probably pretty
tight these days and if any holes are found in them they'll be closed
quickly.

No, I'm thinking about what mistakes developers tend to make that
leave exploitable holes in their applications. What do ASP.NET
developers do that leads to SQL injection? Is there a common weakness
that leads to remote file inclusion? Or XSS?

My assumption is that any application that has been created using the
drag 'n' drop approach in Visual Studio, and hence composes of machine
generated declarative syntax, is likely to be pretty sound. Visual
Studio is unlikely to generate insecure code by default. So when
developers step outside the cosy framework, where do they go wrong?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs
require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: