RE: ASP Security

From: Gaziel, Avishay (agaziel@kpmg.com)
Date: 01/27/02

• Previous message: Pavel Kankovsky: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
• Maybe in reply to: ishaybas@netvision.net.il: "ASP Security"
• Next in thread: Mark Curphey: "RE: ASP Security"
• Reply: Mark Curphey: "RE: ASP Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Gaziel, Avishay" <agaziel@kpmg.com>
To: "'ishaybas@netvision.net.il'" <ishaybas@netvision.net.il>
Date: Sun, 27 Jan 2002 11:57:21 -0500

Hi Ishay
Security issues regarding .asp codes is only a small part of a security
issue called
"Unexpected Input".
Briefly, what you are looking for is articles about "sql injection"
which is a method of injecting your own sql statement to a statement built
using
the .asp
you can find a good starting point @:
www.sqlsecurity.com
www.owasp.com

Avishay

-----Original Message-----
From: ishaybas@netvision.net.il [mailto:ishaybas@netvision.net.il]
Sent: þâ 22 éðåàø 2002 18:34þ
To: vuln-dev@securityfocus.com
Subject: ASP Security

Hello,

I am doing a vulnerability development on a product which uses some .ASP
pages,
and I am looking for some papers regarding security issues of ASP code.

Anyone?

Thanks.

---
Time is short.
I am short.
Therefore I am time.
Ishay Sommer
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************

---

• Previous message: Pavel Kankovsky: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
• Maybe in reply to: ishaybas@netvision.net.il: "ASP Security"
• Next in thread: Mark Curphey: "RE: ASP Security"
• Reply: Mark Curphey: "RE: ASP Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages SQL Security in ASP Applications ... SQL 2000 through ASP. ... This is my first time doing this; ... I'm am trying to settle on a security model, that is effective, but is quick ... (microsoft.public.sqlserver.security) SQL Security in ASP ... SQL 2000 through ASP. ... This is my first time doing this; ... I'm am trying to settle on a security model, that is effective, but is quick ... (microsoft.public.sqlserver.security) Re: File Upload - Security Issues ... You want to upload a file for what reason and you do ... file and what pitfalls you see re: security might be helpful on this end?! ... files to an IIS server that doesn't have MS Office actually installed? ... 2* Upon submit this is submitted to an ASP page that then (using the XML ... (microsoft.public.scripting.vbscript) AW: ASP Dot Net Security Guidelines ... Betreff: Re: ASP Dot Net Security Guidelines ... Basically you'll treat an asp.net application server as you would an asp ... > to set the permissions as it brings up access denied errors on the ... (Focus-Microsoft) Re: VB Component debugging as anonymous access ... formatting the date on the LCID 1046 as dd/mm/yyyy, ... behavior both in ASP and in my component, ... security on the Web Server, ... Thats why I need the debugger ... (microsoft.public.inetserver.asp.components)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-01