Re: Security overview

Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my former
question.
For what I understand XSS attack consist in the attacker redirecting a
visitor to a victim web site while inserting his own script in a field
(hidden on unnoticed) of the web site so that when user interacts with
the web site the code is executed.

If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values (let's
says script identifiers) how can be the attacker's code executed?

That's my point.

From what I read form the article it seems that the ASP.NET protection
could be faulty being based in "black lists" instead of "white lists"
and being so unable to handle new script identifiers of new harmfull
code. Is that the reason?

Anyway I still don't understand why MS advise you in the online help to
validate all user input against special carachters if the ASP.NET
framework already does it. In this way they are covertly saying that
the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

Paolo De Nictolis, Eng. [441410] wrote:

Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.

Paolo





"Arturo Buonanni" <leave_this_out_deer.chief.this.also@xxxxxxxxx>
wrote in message
news:Xns97899EE018350Arturo.Buonanni@xxxxxxxxxxxxxxxx
I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help about
security.

Now I've a doubt about one thing. The online help states that you
have to validate every user input against script exploit and SQL
injection and that's quite fair. But it also states that ASP.NET
validates every "request" against potentially harmfull values
(ie. scripts). Now, if ASP.NET doesn't allows dangerous values in
the request for pages, how can one use scrips exploit? Why code
against script expliot in every page if dangelous values are not
meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.




.

Relevant Pages

  • Re: Security overview
    ... so it seems that the ASP.NET protection against malicius code is ... redirecting a visitor to a victim web site while inserting his ... own script in a field of the web site so ... help to validate all user input against special carachters if the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Security overview
    ... visitor to a victim web site while inserting his own script in a field ... to validate all user input against special carachters if the ASP.NET ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • [NT] VBScript Handling in IE can Allow Web Pages to Read Local Files
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Frames are used in Internet Explorer to provide for a fuller browsing ... The vulnerability could only be used to view files. ... The flaw allows script to violate IE's ...
    (Securiteam)
  • Re: Problems with PrintReady javascript and published Frontpage 2003 web site
    ... 2003 web site ... > In your script delete the 5 lines you have added between ... > Then Test in Browser before you publsih ... > | link it opens a new windows and my browser freezes. ...
    (microsoft.public.frontpage.client)
  • Re: Create IIS Web Site via ADSI scripting - ISAPI Error
    ... It wasn't the ISAPI filter or how it was being added but how the site was being set up via the script. ... Used the web MetaSchema to compare properties/settings for a manual and scripted web site which helped 2 raise these issues. ... I need to create an IIS Web Site but I want to script this and as part of ...
    (microsoft.public.inetserver.iis)