RE: Pen-tester's analysis of .NET security?

From: Joel Friedman (jfriedman@datapipe.com)
Date: Wed Mar 24 2004 - 20:53:20 EST

• Next message: Duy Trac: "RE: Oracle DB Audity"
• Previous message: Frank Knobbe: "Re: Pen-tester's analysis of .NET security?"
• Maybe in reply to: Lachniet, Mark: "Pen-tester's analysis of .NET security?"
• Next in thread: Dinis Cruz: "RE: Pen-tester's analysis of .NET security?"
• Reply: Dinis Cruz: "RE: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is an excerpted copy of an email correspondence I had with Dinis
Cruz,
.Net Security Consultant

Thank you for interest in our Asp.Net security Research. I have compiled
most of our Asp.Net content (including the security guides) in an
unpublished paper called "Undocumented Asp.Net Security" (110 pages):

...

      * You can download it from here:
http://www.ddplus.net/projects/Undocumented_ASP.NET_Security_V0.91.zip

Because you need to ensure the security and resilience of your web
servers, I would call your attention to the Asp.Net Security Analyzer
(ANSA) web application, created and developed by us.

ANSA has been donated to the OWASP (Open Web Application Security
Project), and we are now active members on their DotNet developed
efforts.

      * Main OWASP DotNet page: http://www.owasp.org/dotnet

...

Joel Friedman, CISSP

-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet@sequoianet.com]
Sent: Wednesday, March 24, 2004 2:48 PM
To: pen-test@securityfocus.com
Subject: Pen-tester's analysis of .NET security?

Is anyone aware of a whitepaper or analysis of the security features
(and weaknesses?) of Microsoft's .NET platform for web applications? A
number of interesting features, such as input validation and session
tracking, are built into .NET, and I'd be interested to hear if anyone
has kicked it around much.

Please note, I am *not* interested in references to Microsoft
documentation, developer web sites, or conventional information sources,
but rather information from the viewpoint of a pen-tester doing web
application security analysis work.

Thank you in advance,

Mark Lachniet

------------------------------------------------------------------------

---
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

• Next message: Duy Trac: "RE: Oracle DB Audity"
• Previous message: Frank Knobbe: "Re: Pen-tester's analysis of .NET security?"
• Maybe in reply to: Lachniet, Mark: "Pen-tester's analysis of .NET security?"
• Next in thread: Dinis Cruz: "RE: Pen-tester's analysis of .NET security?"
• Reply: Dinis Cruz: "RE: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT