Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: Injection attacks in ASPX/ASP.NET applications
From: Krugger <merc4krugger () gmail com>
Date: Tue, 2 Sep 2008 11:24:53 +0100
Hi,

I have very limited experience with ASP.NET, but just a few days ago I
came across one of these applications.

As others have said seems very green people are writing code these
days. LDAP injection is likely on AD queries for auth as well as SQL
injection as the user input is directly added to SQL statements
without any kind of checks.

The validate request allow for some XSS protection as it will give an
error when passed unencoded html tags as input. Don't think it also
covers SQL injection.

For SQL injection prevention you should consider using something like
prepared statements. Lookup SqlDataAdapter and pass parameters to the
query.

Krugger

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]