RE: Pen-tester's analysis of .NET security?

From: Dominick Baier (db@die-lounge.com)
Date: Fri Mar 26 2004 - 03:29:35 EST

• Next message: Scott Egbert: "Re: Oracle DB Audity"
• Previous message: Jon Hart: "Re: nmap shows open UDP port 113"
• In reply to: H D Moore: "Re: Pen-tester's analysis of .NET security?"
• Next in thread: Frank Knobbe: "RE: Pen-tester's analysis of .NET security?"
• Reply: Frank Knobbe: "RE: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

some other info...

per default each asp.net webform (1.1) has a implicit property
"ValidateRequest" which is set to true. you can set this property at
machine, application and page level.

If this is on - asp.net will check for <SCRIPT> (and maybe other tags) in
query strings, form fields and cookies.

however there is a bug in asp.net 1.1 with null characters :

won't work
http://foo.bar/search.aspx?term=>alert('Vulnerable')</SCRIPT>

will work
http://foo.bar/search.aspx?term=<%00SCRIPT>alert('Vulnerable')</SCRIPT>

description and fix :
http://support.microsoft.com/default.aspx?scid=kb;en-us;821349

dominick

-----Original Message-----
From: H D Moore [mailto:sflist@digitaloffense.net]
Sent: Donnerstag, 25. März 2004 05:36
To: pen-test@securityfocus.com
Subject: Re: Pen-tester's analysis of .NET security?

On Wednesday 24 March 2004 13:47, Lachniet, Mark wrote:
> Is anyone aware of a whitepaper or analysis of the security features
> (and weaknesses?) of Microsoft's .NET platform for web applications?

Breaking ASP.Net - Cansecwest 2002
http://www.digitaldefense.net/labs/presentations/Breaking.ASP.NET/

Covers overflow in the state server (fixed in post-1.0 update), session
fixation through cookieless sessions, various common misconfigurations.

DotNetAppScan - Random Tool Release (TM)
http://www.digitaloffense.net/dnascan.pl.gz

Use some somewhat outdated tricks to get more information about the remote
application's ASP.Net configuration (web.config). Sometimes this yields
fun results (missing ViewStateMac, CustomErrors off, or Trace enabled).

The built-in input validation is rarely used on production web sites of
any complexity, the application will throw errors even when benign data
is entered into a text field. The end result is that most web sites don't
use it, so XSS is fairly trivial.

If Forms Authentication crypto has been disabled, it is trivial to brute
force a cookie value that decodes to a valid session. This is a rare
occurrence, but people have been known to do it for performance reasons.

The VIEWSTATE variable is a base64-encoded Triplet object with a
cryptographic hash appended to the end. You can find freeware ViewState
decoders by searching google, the format really isn't too complicated.
Analyzing the ViewState at various states can give you some hints as to
how the application works. If crypto validation is disabled on the
ViewState, very bad things can happen, fortunately this is rare...

If sliding expirations are enabled for Forms Authentication, there is a
real chance of a session collisions. I know of one site which ran into
this issue, users kept landing in other users sessions during the session
renewal. AFAIK (and the MS changelogs show) this has not been resolved.
The magic sequence here is to create a session (login), sleep til right
before expiration, then renew again, you have a decent change of landing
in someone else's session. This could have been application-specific (due
to the key used to create the session), but if it happened there, it can
happen elsewhere.

The FileSystem class accepts unicode sequences IIRC, you can use this to
perform directory traversal attacks in some cases.

SQL insertion is still a big concern, however I ran across a similar issue
with XML data. Many ASP.Net apps will create XML data from form input, it
is very possible to close out one element and create another one. This
allows you to spoof all elements past the one containing user data. If
this XML data is then used in file system or SQL operations, bad things
can happen there too...

Anyhow, just a quick dump off the top of my head, if anyone else has more
info to add, I would definitely be interested.

-HD

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

• Next message: Scott Egbert: "Re: Oracle DB Audity"
• Previous message: Jon Hart: "Re: nmap shows open UDP port 113"
• In reply to: H D Moore: "Re: Pen-tester's analysis of .NET security?"
• Next in thread: Frank Knobbe: "RE: Pen-tester's analysis of .NET security?"
• Reply: Frank Knobbe: "RE: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT