|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dailydave] Does .aspx Protect Against Sql Injection? Not all field right? Any way to bypass it? Cookie SQL Injections?
From: Danett song (danett18
yahoo.com.br)
Date: Tue Jan 30 2007 - 20:33:49 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi guys,
Is there any new protection mechanism configured by default in .NET framework (or maybe IIS6) wich make .aspx files not vulnerable to SQL Injection? If yes, is there any document that show what it protect against ? Someone aware of evasion methods to bypass it (a document link is welcome)?
Also, I think it doesn't check/filter session values, I made a test setting the "Cookie" value with some chars like quote (as used in sql injection tests via url) and I got this error from the application (showing the server is using a SQL Server):
invalid character value for cast specification
I never tryed to exploit a sql injection in cookie values and never had seen this error before (which appear to be a cast conversion error).... any tip for me? Any document (link) ?
Thank you a lot,
Regards
__________________________________________________
Fale com seus amigos de graça com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]