RE: Pen-tester's analysis of .NET security?

From: Lachniet, Mark (mlachniet_at_sequoianet.com)
Date: 03/25/04

Next message: muts_at_zahav.net.il: "RainbowCrack Web Application"

Previous message: Chris McNab: "RE: Oracle DB Audity"
Maybe in reply to: Lachniet, Mark: "Pen-tester's analysis of .NET security?"
Next in thread: Jeff Bryner: "RE: Pen-tester's analysis of .NET security?"
Reply: Jeff Bryner: "RE: Pen-tester's analysis of .NET security?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Mar 2004 09:23:11 -0500
To: "Frank Knobbe" <frank@knobbe.us>, <jeff@jeffbryner.com>

Actually, I believe .NET does convert the naughty strings to safe
representations that are not interpreted as HTML by the browser, in the
body anyway...

However, it does *not* do this in the headers - esp. the "Location:"
header. But how difficult is this to exploit in the real world?

Mark Lachniet

> -----Original Message-----
> From: Frank Knobbe [mailto:frank@knobbe.us]
> Sent: Wednesday, March 24, 2004 7:28 PM
> To: jeff@jeffbryner.com
> Cc: Lachniet, Mark; pen-test@securityfocus.com
> Subject: Re: Pen-tester's analysis of .NET security?
>
> On Wed, 2004-03-24 at 17:59, Jeff Bryner wrote:
> > ADODB doesn't but .net 1.1 does filter for CSS input. Code
> up a basic
> > page and enter <scrip in a text box and you'll trigger a
> > HttpRequestValidationException
>
> I see. So it checks at request time when you use HttpRequest.
> (Sorry, I had my mind on the database facing side :)
>
> But isn't that all it does? I mean, you are still left with
> converting the content of the caught string yourself, using
> HTMLEncode or similar.
> In other words, all it does is detect that dangerous
> characters are present. It doesn't protect you by converting them.
>
> Which means you are still left to do the conversion (and
> space trimming, and cutting to maxlength....) yourself...
>
> Regards,
> Frank
>
>
>
>
>
>
>

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

Next message: muts_at_zahav.net.il: "RainbowCrack Web Application"

Previous message: Chris McNab: "RE: Oracle DB Audity"
Maybe in reply to: Lachniet, Mark: "Pen-tester's analysis of .NET security?"
Next in thread: Jeff Bryner: "RE: Pen-tester's analysis of .NET security?"
Reply: Jeff Bryner: "RE: Pen-tester's analysis of .NET security?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]