Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Does .aspx protect against sql injection?Any way to bypass it? Cookie SQL Injections?

Does .aspx protect against sql injection?Any way to bypass it? Cookie SQL Injections?

From: Danett song <danett18_at_yahoo.com.br>
Date: Tue, 6 Feb 2007 22:03:04 -0300 (ART)

 Hi guys,

I looked at some microsoft documentation (
http://www.microsoft.com/downloads/details.aspx?FamilyID=e9c4bfaa-af88-4aa5-88d4-0dea898c31b9
), and appear that .NET framework prevent a bunch of
web attack classes.

Also appear that this security enhancement is in .NET
framework, providing programming functions and
features that help to make .apsx applications more
safe, however many parts yet are responsible from the
developer, like input valudation. So in the reality
doesn't appear that .NET framework provide a robust
barrier to protect against this attacks (like a web
application firewalll, example F5 web firewall), i'm
right? Even cause they suggest to use aditional
IISLockdown, URLscan, ISAPI filter, etc.

My main doubt is, is there any evasion methods used to
bypass this common chcecks provided from .NET
framework to difficult SQL injections, XSS, etc?

I made some tests in a new lab machine installed with
Windows 2003, SQL server and IIS. All inputed were
well validaded, so i were not able to abuse of any sql
injection or xss (maybe it's in the .aspx code that
were well wrote? Maybe in the .NET framework that
prevent some attacks like a web application firewall?
Maybe a IISLockdown + URLScan + ISAPI filter),
however I think it doesn't check/filter session
values, I made a test setting the "Cookie" value with
some chars like quote (as used in sql injection tests
via url) and I got this error from the application
(showing the server is using a SQL Server):

invalid character value for cast specification

I never tryed to exploit a sql injection in cookie
values and never had seen this error before (which
appear to be a cast conversion error).... any tip for
me? Any document (link) ?

Also I know (cause the server is in my lab) that some
this filters in input validation are been made by the
.apsx code, cause the developer made it. But a
attacker is able to remotly recoganize who is making
this checks (if it's in the .aspx code that were well
wrote? If in the .NET framework that prevent some
attacks like a web application firewall? If is a
IISLockdown + URLScan + ISAPI filter)? How?

thank you,

Cheers

__________________________________________________
Fale com seus amigos de graça com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional XSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
--------------------------------------------------------------------------
Received on Feb 07 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos