|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: FF (as1812
gmail.com)
Date: Sun Aug 31 2008 - 18:11:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gents,
The has nothing to do with asp. asp.net is as secure as classic asp
is insecure.
To extend the car analogy, I would point to a vehicle made in the USA
called the pinto. A poorly engineered product makes it much more
likely for an individual to mess up.
Regarding asp.net, the only times I've found sql injection issues
during a pentest, have been when developers of the app have taken it
upon themslevs to change the defaults (found in vs.net 2005 and
greater).
So the question, restated, is has anyone found any common issues in
asp.net apps developed with vs.net 2005 or greater?
On Sat, Aug 30, 2008 at 7:22 PM, Serg B <sergeslistsgmail.com> wrote:
> I was under the impression that an SQL injection is a flaw based on
> individuals programming ability and not the language it self.
>
> To me, what you are saying sounds like: a car model X is crap because
> the driver crashed it into a tree.
>
>
>
> On Sun, Aug 31, 2008 at 5:33 AM, Morning Wood <se_cur_ityhotmail.com> wrote:
>> any common sql injection tool will make mincemeat out of most asp/aspx
>> sites.
>> I really dont know how you can say ASP is so secure,
>> as it has not been my experience as a penetration expert.
>>
>> try to google "login" "filetype:asp" go to a login page, enterr a valid
>> username and 'OR' as the password... i say 20% of all asp sites are
>> vulnerable to this simple sql injection technique.
>>
>> simply dont know how you can make a statement as this.
>>
>>
>>
>> ----- Original Message ----- From: "Nikhil Wagholikar"
>> <visitnikhilgmail.com>
>> To: "pen-test" <pen-testsecurityfocus.com>
>> Sent: Friday, August 29, 2008 11:51 AM
>> Subject: Injection attacks in ASPX/ASP.NET applications
>>
>>
>>> Hello All,
>>>
>>> Now-a-days lots of websites/web based application are developed in
>>> ASP.NET. ASP.NET implementation is considered to be one of the most
>>> secured implementation of all technologies currently available in the
>>> market. One of the reasons for this is ASP.NET's built-in powerful
>>> security feature, which doesn't execute any malicious inputs from the
>>> client.
>>>
>>> It would be great, if anyone could share their experience about
>>> hacking into an ASP.NET (basically ASPX) application through
>>> "Injection" vulnerabilities/attacks.
>>>
>>> Basically I wish to hear your views on:
>>>
>>> 1. What are the problems with ASP.NET built-in feature? (like
>>> <customErrors mode="Off"> by default).
>>> 2. What input can be given, that can easily/guaranteed by-pass
>>> ASP.NET's built-in security feature? (Ex: SQL Injection is still
>>> possible in ASPX even when ValidateRequest="true" is present)
>>> 3. Is there any tool specially developed for finding vulnerabilities
>>> in ASP.NET application from penetration testing/vulnerability
>>> assessment point of view?
>>> 4. Any free tool and thorough methodology, that could help one in
>>> doing source code audit/review of ASP.NET (ASPX) application? (I know
>>> one tool to be scancode.py)
>>>
>>> Thanks in advance.
>>>
>>> ---
>>> Nikhil Wagholikar
>>> Practice Lead | Security Assessment and Digital Forensics
>>> NII Consulting
>>> Web: http://www.niiconsulting.com/
>>> Security Product: http://www.niiconsulting.com/Products.html
>>>
>>> ------------------------------------------------------------------------
>>> This list is sponsored by: Cenzic
>>>
>>> Top 5 Common Mistakes in
>>> Securing Web Applications
>>> Get 45 Min Video and PPT Slides
>>>
>>> www.cenzic.com/landing/securityfocus/hackinar
>>> ------------------------------------------------------------------------
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Top 5 Common Mistakes in Securing Web Applications
>> Get 45 Min Video and PPT Slides
>>
>> www.cenzic.com/landing/securityfocus/hackinar
>> ------------------------------------------------------------------------
>>
>>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]