Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Does .aspx protect against sql injection?Any way to bypass it? Cookie SQ

from [Danett song] Network Security [Permanent Link]
Subject: Does .aspx protect against sql injection?Any way to bypass it? Cookie SQL Injections?
Date: Tue, 6 Feb 2007 22:03:04 -0300 (ART) 
 Hi guys,

I looked at some microsoft documentation (
http://www.microsoft.com/downloads/details.aspx?FamilyID=e9c4bfaa-af88-4aa5-88d4-0dea898c31b9
), and appear that .NET framework prevent a bunch of
web attack classes.

Also appear that this security enhancement is in .NET
framework, providing  programming functions and
features that help to make .apsx applications more
safe, however many parts yet are responsible from the
developer, like input valudation. So in the reality
doesn't appear that .NET framework provide a robust
barrier to protect against this attacks (like a web
application firewalll, example F5 web firewall), i'm
right? Even cause they suggest to use aditional
IISLockdown, URLscan, ISAPI filter, etc.

My main doubt is, is there any evasion methods used to
bypass this common chcecks provided from .NET
framework to difficult SQL injections, XSS, etc?

I made some tests in a new lab machine installed with
Windows 2003, SQL server and IIS. All inputed were
well validaded, so i were not able to abuse of any sql
injection or xss (maybe it's in the .aspx code that
were well wrote? Maybe in the .NET framework that
prevent some attacks like a web application firewall?
Maybe a IISLockdown + URLScan + ISAPI filter), 
however I think it doesn't check/filter session
values, I made a test setting the "Cookie" value with
some chars like quote (as used in sql injection tests
via url) and I got this error from the application
(showing the server is using a SQL Server):

invalid character value for cast specification

I never tryed to exploit a sql injection in cookie
values and never had seen this error before (which
appear to be a cast conversion error).... any tip for
me? Any document (link) ?

Also I know (cause the server is in my lab) that some
this filters in input validation are been made by the
.apsx code, cause the developer made it. But a
attacker is able to remotly recoganize who is making
this checks (if it's in the .aspx code that were well
wrote? If in the .NET framework that prevent some
attacks like a web application firewall? If is a
IISLockdown + URLScan + ISAPI filter)? How?

thank you,

Cheers


__________________________________________________
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional XSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Using Java in anti DNS-pinning attacks (Firefox and Opera), Martin Johns
Next by Date:  Instantiating an executable from a web browser., Scott, Richard (IS)
Previous by Thread:  Using Java in anti DNS-pinning attacks (Firefox and Opera), Martin Johns
Next by Thread:  RE: Does .aspx protect against sql injection?Any way to bypass it? Cookie SQL Injections?, Calderon, Juan Carlos (GE, Corporate, consultant)
Indexes:  [Date] [Thread] [Top] [All Lists]