Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Pen-tester's analysis of .NET security?
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Pen-tester's analysis of .NET security?
  • From: Frank Knobbe <[EMAIL PROTECTED]>
  • Date: Wed, 24 Mar 2004 18:28:03 -0600
  • Cc: "Lachniet, Mark" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]>
.
 
On Wed, 2004-03-24 at 17:59, Jeff Bryner wrote:
> ADODB doesn't but .net 1.1 does filter for CSS input. Code up a basic
> page and enter <scrip in a text box and you'll trigger a
> HttpRequestValidationException 

I see. So it checks at request time when you use HttpRequest. (Sorry, I
had my mind on the database facing side :)

But isn't that all it does? I mean, you are still left with converting
the content of the caught string yourself, using HTMLEncode or similar.
In other words, all it does is detect that dangerous characters are
present. It doesn't protect you by converting them.

Which means you are still left to do the conversion (and space trimming,
and cutting to maxlength....) yourself...

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.