Re: Pen-tester's analysis of .NET security?

From: Frank Knobbe (frank_at_knobbe.us)
Date: 03/24/04

  • Next message: Kelly Winters: "RE: Oracle DB Audity" 
    To: "Lachniet, Mark" <mlachniet@sequoianet.com>
Date: Wed, 24 Mar 2004 15:39:21 -0600

    On Wed, 2004-03-24 at 13:47, Lachniet, Mark wrote:
    > Is anyone aware of a whitepaper or analysis of the security features
    > (and weaknesses?) of Microsoft's .NET platform for web applications? A
    > number of interesting features, such as input validation and session
    > tracking, are built into .NET, and I'd be interested to hear if anyone
    > has kicked it around much.

    Can't help with white papers, but while doing reviews of sites "powered
    by ASP.NET" I noticed that these mostly use ADODB connections which does
    escape quotes. I guess the potential is still there to write code that
    uses ODBC type queries where you can shoot yourself in the foot with.

    However, even if ADODB and ODBC functions filter quotes, they do not
    filter <, >, and other HTML entities, causing XSS issues all over the
    place. So, saying ASP.NET does input validation seems to be a misleading
    statement.
    (And session tracking has been around for a while now... not sure what
    they mean by that.... Yeah, ASPSESSIONID looks different these days,
    but... the point?)

    In my opinion, the web developers (as well as the db guys in the back)
    still have the duty to perform input validation themselves, and not
    trust claims that an OS vendor throws out in marketing materials. Also,
    proper length checking should be done there as well.

    Regards,
    <%=strleft(htmlentities(trim(request("Frank"))),50)%>

  • Next message: Kelly Winters: "RE: Oracle DB Audity"