|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Serg B (sergeslists
gmail.com)
Date: Mon Sep 01 2008 - 18:23:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Devesh, fare enough, however saying that the language is insecure is
just plain ignorant. It's a language - a developer can make it as
secure or as insecure as possible. There is no more to that.
Alternatively, using the same logic I can say that Java and C# are
insecure, since I have found at least one critical issue every time I
do a pen-test (happens to be my full time job).
The entire statement was ignorant, there is no more to it. Although I
believe the question was rephrased in an earlier email.
On Mon, Sep 1, 2008 at 8:22 PM, devesh bhatt <devkpmggmail.com> wrote:
> Serg B ... yeah its in the product not in the material that is used to
> develope it....But still certain features in certain languages help
> programmers overcome these flaws
>
> Devesh
>
>
> On 8/31/08, Serg B <sergeslistsgmail.com> wrote:
>>
>> I was under the impression that an SQL injection is a flaw based on
>> individuals programming ability and not the language it self.
>>
>> To me, what you are saying sounds like: a car model X is crap because
>> the driver crashed it into a tree.
>>
>>
>>
>> On Sun, Aug 31, 2008 at 5:33 AM, Morning Wood <se_cur_ityhotmail.com>
>> wrote:
>> > any common sql injection tool will make mincemeat out of most asp/aspx
>> > sites.
>> > I really dont know how you can say ASP is so secure,
>> > as it has not been my experience as a penetration expert.
>> >
>> > try to google "login" "filetype:asp" go to a login page, enterr a valid
>> > username and 'OR' as the password... i say 20% of all asp sites are
>> > vulnerable to this simple sql injection technique.
>> >
>> > simply dont know how you can make a statement as this.
>> >
>> >
>> >
>> > ----- Original Message ----- From: "Nikhil Wagholikar"
>> > <visitnikhilgmail.com>
>> > To: "pen-test" <pen-testsecurityfocus.com>
>> > Sent: Friday, August 29, 2008 11:51 AM
>> > Subject: Injection attacks in ASPX/ASP.NET applications
>> >
>> >
>> >> Hello All,
>> >>
>> >> Now-a-days lots of websites/web based application are developed in
>> >> ASP.NET. ASP.NET implementation is considered to be one of the most
>> >> secured implementation of all technologies currently available in the
>> >> market. One of the reasons for this is ASP.NET's built-in powerful
>> >> security feature, which doesn't execute any malicious inputs from the
>> >> client.
>> >>
>> >> It would be great, if anyone could share their experience about
>> >> hacking into an ASP.NET (basically ASPX) application through
>> >> "Injection" vulnerabilities/attacks.
>> >>
>> >> Basically I wish to hear your views on:
>> >>
>> >> 1. What are the problems with ASP.NET built-in feature? (like
>> >> <customErrors mode="Off"> by default).
>> >> 2. What input can be given, that can easily/guaranteed by-pass
>> >> ASP.NET's built-in security feature? (Ex: SQL Injection is still
>> >> possible in ASPX even when ValidateRequest="true" is present)
>> >> 3. Is there any tool specially developed for finding vulnerabilities
>> >> in ASP.NET application from penetration testing/vulnerability
>> >> assessment point of view?
>> >> 4. Any free tool and thorough methodology, that could help one in
>> >> doing source code audit/review of ASP.NET (ASPX) application? (I know
>> >> one tool to be scancode.py)
>> >>
>> >> Thanks in advance.
>> >>
>> >> ---
>> >> Nikhil Wagholikar
>> >> Practice Lead | Security Assessment and Digital Forensics
>> >> NII Consulting
>> >> Web: http://www.niiconsulting.com/
>> >> Security Product: http://www.niiconsulting.com/Products.html
>> >>
>> >>
>> >> ------------------------------------------------------------------------
>> >> This list is sponsored by: Cenzic
>> >>
>> >> Top 5 Common Mistakes in
>> >> Securing Web Applications
>> >> Get 45 Min Video and PPT Slides
>> >>
>> >> www.cenzic.com/landing/securityfocus/hackinar
>> >>
>> >> ------------------------------------------------------------------------
>> >>
>> >>
>> >
>> >
>> > ------------------------------------------------------------------------
>> > This list is sponsored by: Cenzic
>> >
>> > Top 5 Common Mistakes in Securing Web Applications
>> > Get 45 Min Video and PPT Slides
>> >
>> > www.cenzic.com/landing/securityfocus/hackinar
>> > ------------------------------------------------------------------------
>> >
>> >
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Top 5 Common Mistakes in
>> Securing Web Applications
>> Get 45 Min Video and PPT Slides
>>
>> www.cenzic.com/landing/securityfocus/hackinar
>> ------------------------------------------------------------------------
>>
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]