Penetration Testing mailing list archives
Re: ASP.NET application testing
From: Ramiro Caire <ramiro.caire () gmail com>
Date: Tue, 22 Sep 2009 11:12:03 -0300
Hi Derek, this link maybe helps you: http://www.owasp.org/index.php/Category:OWASP_.NET_Project There is also a book, named "Testing ASP.NET web applications" written by John Wiley & Sons, available in UK. Regards Ramiro Derek Fountain wrote:
Has anyone read, or written, any decent papers of testing ASP.NET applications? I'm interested in the weaknesses typically found in them. I don't mean the Microsoft classes, as such. They're probably pretty tight these days and if any holes are found in them they'll be closed quickly. No, I'm thinking about what mistakes developers tend to make that leave exploitable holes in their applications. What do ASP.NET developers do that leads to SQL injection? Is there a common weakness that leads to remote file inclusion? Or XSS? My assumption is that any application that has been created using the drag 'n' drop approach in Visual Studio, and hence composes of machine generated declarative syntax, is likely to be pretty sound. Visual Studio is unlikely to generate insecure code by default. So when developers step outside the cosy framework, where do they go wrong? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- ASP.NET application testing Derek Fountain (Sep 17)
- Re: ASP.NET application testing Ramiro Caire (Sep 22)