RE: Pen-tester's analysis of .NET security?

From: Lachniet, Mark (mlachniet_at_sequoianet.com)
Date: 03/25/04

  • Next message: Gabriel Alexandros: "Re: nmap shows open UDP port 113" 
    Date: Thu, 25 Mar 2004 12:37:57 -0500
To: "Frank Knobbe" <frank@knobbe.us>

    Sorry, I wasn't being clear - what I am trying to describe is what
    happens when the default .NET error trace trapping is turned on, and you
    get an exception (from an XSS attack, etc.) At this point, it will
    throw up an error message stating that an XSS attack was attempted, and
    reiterate the bad input you gave it, but sanitize it so its not
    interpreted as HTML. This sanitization only happens in the HTML body,
    not the Location header.

    Obviously it would vary greatly depending on how its implemented, and
    many people probably don't use it.

    As noted in the URL given below:

    ----------snip--------------
     
    The forgotten collections

    As far as I can tell there seems to be no checking against the Headers
    and ServerVariables collections. I agree these are not so 'popular' as
    the previous three, but if the attempt was to offer maximum security
    right out of the box I don't know why they've been excluded. Anyway, it
    should be great to hear some 'official' comments on this J

    Mark Lachniet

    > -----Original Message-----
    > From: Frank Knobbe [mailto:frank@knobbe.us]
    > Sent: Thursday, March 25, 2004 12:11 PM
    > To: Lachniet, Mark
    > Cc: jeff@jeffbryner.com
    > Subject: RE: Pen-tester's analysis of .NET security?
    >
    > On Thu, 2004-03-25 at 08:23, Lachniet, Mark wrote:
    > > Actually, I believe .NET does convert the naughty strings to safe
    > > representations that are not interpreted as HTML by the browser, in
    > > the body anyway...
    > >
    > > However, it does *not* do this in the headers - esp. the "Location:"
    > > header. But how difficult is this to exploit in the real world?
    >
    > Mark,
    >
    > according to the URL Jeff has referenced
    > (http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx), it
    > only validates input.
    >
    > Where do you think the conversion takes place? On output to
    > the browser behind the scenes? Or to we have to pipe all
    > output through a function now?
    >
    > The way I read that link above is that the HTTP Request
    > handler can optionally check for dangerous characters, and if
    > found, throw an error page. Or am I reading the wrong reference?
    >
    > Regards,
    > Frank
    >
    >
    > PS: I know it doesn't do all this automatically because the
    > webapp I've been currently looking at is run by .NET and
    > vulnerable to XSS all over the place :)
    >

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------

  • Next message: Gabriel Alexandros: "Re: nmap shows open UDP port 113"