From: Lachniet, Mark (mlachniet@sequoianet.com)
Date: Thu Mar 25 2004 - 09:23:11 EST
Actually, I believe .NET does convert the naughty strings to safe
representations that are not interpreted as HTML by the browser, in the
body anyway...
However, it does *not* do this in the headers - esp. the "Location:"
header. But how difficult is this to exploit in the real world?
Mark Lachniet
> -----Original Message-----
> From: Frank Knobbe [mailto:frank@knobbe.us]
> Sent: Wednesday, March 24, 2004 7:28 PM
> To: jeff@jeffbryner.com
> Cc: Lachniet, Mark; pen-test@securityfocus.com
> Subject: Re: Pen-tester's analysis of .NET security?
>
> On Wed, 2004-03-24 at 17:59, Jeff Bryner wrote:
> > ADODB doesn't but .net 1.1 does filter for CSS input. Code
> up a basic
> > page and enter <scrip in a text box and you'll trigger a
> > HttpRequestValidationException
>
> I see. So it checks at request time when you use HttpRequest.
> (Sorry, I had my mind on the database facing side :)
>
> But isn't that all it does? I mean, you are still left with
> converting the content of the caught string yourself, using
> HTMLEncode or similar.
> In other words, all it does is detect that dangerous
> characters are present. It doesn't protect you by converting them.
>
> Which means you are still left to do the conversion (and
> space trimming, and cutting to maxlength....) yourself...
>
> Regards,
> Frank
>
>
>
>
>
>
>
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT