Re: Pen-tester's analysis of .NET security?

From: Frank Knobbe (frank@knobbe.us)
Date: Wed Mar 24 2004 - 19:28:03 EST

• Next message: Joel Friedman: "RE: Pen-tester's analysis of .NET security?"
• Previous message: sil: "Re: Oracle DB Audity"
• In reply to: Jeff Bryner: "Re: Pen-tester's analysis of .NET security?"
• Next in thread: Joel Friedman: "RE: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, 2004-03-24 at 17:59, Jeff Bryner wrote:
> ADODB doesn't but .net 1.1 does filter for CSS input. Code up a basic
> page and enter <scrip in a text box and you'll trigger a
> HttpRequestValidationException

I see. So it checks at request time when you use HttpRequest. (Sorry, I
had my mind on the database facing side :)

But isn't that all it does? I mean, you are still left with converting
the content of the caught string yourself, using HTMLEncode or similar.
In other words, all it does is detect that dangerous characters are
present. It doesn't protect you by converting them.

Which means you are still left to do the conversion (and space trimming,
and cutting to maxlength....) yourself...

Regards,
Frank

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Joel Friedman: "RE: Pen-tester's analysis of .NET security?"
• Previous message: sil: "Re: Oracle DB Audity"
• In reply to: Jeff Bryner: "Re: Pen-tester's analysis of .NET security?"
• Next in thread: Joel Friedman: "RE: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT