Penetration Testing: Re: Injection attacks in ASPX/ASP.NET applications

[David Howe <DaveHowe.Pentest () googlemail com>]

Serg B wrote:
> I was under the impression that an SQL injection is a flaw based on
> individuals programming ability and not the language it self.
>
> To me, what you are saying sounds like: a car model X is crap because
> the driver crashed it into a tree.
.. by setting "autocruse" and letting go of the wheel to answer his phone.

  ASP.net is no more or less secure than almost any other server-side 
executable; almost invariably though, someone comes along trying to tout 
their (usually platform specific or proprietary) language du-jour as the 
most secure ever because.... when in fact it could possibly offer some 
security advantages over another language (less buffer overflows in 
standard library functions, for example) but you can still write 
insecure code in it more easily than secure code.
  That said, a language that is inherently secure *is* possible, but 
nobody would ever use it as the limitations would be too great (no file 
system access under any circumstances, no IP connectivity other than via 
the query/response channel in the webserver, and so forth)
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------