|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Serg B (sergeslists
gmail.com)
Date: Sat Aug 30 2008 - 18:22:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I was under the impression that an SQL injection is a flaw based on
individuals programming ability and not the language it self.
To me, what you are saying sounds like: a car model X is crap because
the driver crashed it into a tree.
On Sun, Aug 31, 2008 at 5:33 AM, Morning Wood <se_cur_ityhotmail.com> wrote:
> any common sql injection tool will make mincemeat out of most asp/aspx
> sites.
> I really dont know how you can say ASP is so secure,
> as it has not been my experience as a penetration expert.
>
> try to google "login" "filetype:asp" go to a login page, enterr a valid
> username and 'OR' as the password... i say 20% of all asp sites are
> vulnerable to this simple sql injection technique.
>
> simply dont know how you can make a statement as this.
>
>
>
> ----- Original Message ----- From: "Nikhil Wagholikar"
> <visitnikhilgmail.com>
> To: "pen-test" <pen-testsecurityfocus.com>
> Sent: Friday, August 29, 2008 11:51 AM
> Subject: Injection attacks in ASPX/ASP.NET applications
>
>
>> Hello All,
>>
>> Now-a-days lots of websites/web based application are developed in
>> ASP.NET. ASP.NET implementation is considered to be one of the most
>> secured implementation of all technologies currently available in the
>> market. One of the reasons for this is ASP.NET's built-in powerful
>> security feature, which doesn't execute any malicious inputs from the
>> client.
>>
>> It would be great, if anyone could share their experience about
>> hacking into an ASP.NET (basically ASPX) application through
>> "Injection" vulnerabilities/attacks.
>>
>> Basically I wish to hear your views on:
>>
>> 1. What are the problems with ASP.NET built-in feature? (like
>> <customErrors mode="Off"> by default).
>> 2. What input can be given, that can easily/guaranteed by-pass
>> ASP.NET's built-in security feature? (Ex: SQL Injection is still
>> possible in ASPX even when ValidateRequest="true" is present)
>> 3. Is there any tool specially developed for finding vulnerabilities
>> in ASP.NET application from penetration testing/vulnerability
>> assessment point of view?
>> 4. Any free tool and thorough methodology, that could help one in
>> doing source code audit/review of ASP.NET (ASPX) application? (I know
>> one tool to be scancode.py)
>>
>> Thanks in advance.
>>
>> ---
>> Nikhil Wagholikar
>> Practice Lead | Security Assessment and Digital Forensics
>> NII Consulting
>> Web: http://www.niiconsulting.com/
>> Security Product: http://www.niiconsulting.com/Products.html
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Top 5 Common Mistakes in
>> Securing Web Applications
>> Get 45 Min Video and PPT Slides
>>
>> www.cenzic.com/landing/securityfocus/hackinar
>> ------------------------------------------------------------------------
>>
>>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]