RE: Pen-tester's analysis of .NET security?

From: Frank Knobbe (frank_at_knobbe.us)
Date: 03/26/04

  • Next message: Dinis Cruz: "RE: Pen-tester's analysis of .NET security?" 
    To: Dominick Baier <db@die-lounge.com>
Date: Fri, 26 Mar 2004 15:54:26 -0600

    On Fri, 2004-03-26 at 02:29, Dominick Baier wrote:
    > however there is a bug in asp.net 1.1 with null characters :
    >
    > won't work
    > http://foo.bar/search.aspx?term=>alert('Vulnerable')</SCRIPT>
    >
    > will work
    >     http://foo.bar/search.aspx?term=<%00SCRIPT>alert('Vulnerable')</SCRIPT>

    What did I say earlier about not trusting the OS? Perfect example here.
    You can't trust anybody but your own code :)

    Any idea why Microsoft is filtering for "<SCRIPT>" specifically and not
    just "<" and ">"?

    Regards,
    Frank

  • Next message: Dinis Cruz: "RE: Pen-tester's analysis of .NET security?"

    Relevant Pages

    • Re: 2 Men Arrested in Missouri Girls Death
      ... I'm not going to sit here and rip this woman apartbut there was a video clip where she said she didn't trust her husband, ... It could be more along the lines of her not trusting he won't cheat on her or steal money. ... I suppose it could be she suspected that, but I am waiting to hear more about the distrust comment she made before deciding how I feel about her now. ...
      (alt.true-crime)
    • Re: elevate rights within an application
      ... Best regards, ... Dominick Baier ... However, if the logged on user does not have the required permission, ... Windows Service? ...
      (microsoft.public.dotnet.security)
    • Re: problem writing a file
      ... check out the machine settings in active directory users and computers. ... Dominick Baier - DevelopMentor ... How can I find out if trust for delegation is enabled? ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: incoming and outgoing trusts
      ... to use User Domain and Resource Domain (Trusting) as it makes it ... It should also be noted that your concept of administering the trust is also ... rights directly to resources. ... authenticated by passing authentication thru to the trusted domain--into the ...
      (microsoft.public.windows.server.active_directory)
    • Re: Using Computers In Trusted Domain, Logons To Trusting Domain Fails
      ... With a 1-way trust established between the trusting and the trusted ... to the trusting Domain fails but using computers in the trusting Domain, ... Using a computer that is joined to the SCS Domain, ... that computer to logon to the GSCSStudents Domain using an account in the ...
      (microsoft.public.windows.server.active_directory)