Home Projects Pictures Books About PGP Key

New ProCheckUp ValidateRequest Bypass

September 6th, 2008 Anthony Towry

ProCheckUp has just published a new ValidateRequest XSS bypass paper.  I unfortunately have not had time to verify the information in the paper, but everything I've read appears to be in line with information Micheal Eddington had published earlier this year.

Microsoft has some interesting goodies (patches) coming out this next Tuesday regarding .Net, IE and friends.  Related?  Maybe.

There's recently been a nice discussion going taking place on the penetration-testing mailing list regarding breaking asp.net applications.  There are several ways to introduce XSS vulnerabilities into a asp.net application as developer, but it certainly is one of the more secure web development frameworks.  The danger comes in relying on the framework to know what is acceptable and what isn't.  ValidateRequest makes a good try, but as this paper states, it's not a complete solution even for the most generic pages.

Use the Anti-XSS library devs!

Posted in Security, Web development | No Comments »

ASP.NET 2.0 Worse Off Against XSS Than ASP.NET 1.1

April 25th, 2008 Anthony Towry

ASP.NET Logo Michael Eddington recently posted some interesting information regarding the differences in request validation being used in ASP.NET 1.1 vs. ASP.NET 2.0.  In addition to the information he's posting, which are good things to know, I think this should raise a point.

I can't stress this enough, do not rely on framework built-ins for your security.  It's easy for developers to get going down the road of relying on framework features.  Don't do it.  Remember to practice defense in depth and do your own IO validation and encoding in addition to whatever your framework of choice offers.

Thanks Michael.

Posted in Programming, Security, Web development | No Comments »

ASP.NET MVC Source Now On Codeplex

March 26th, 2008 Anthony Towry

If you haven't heard already, Scott Guthrie has posted some exciting news to his blog regarding the ASP.NET MVC framework.  The general geek population now has access to current releases of the code allowing the bravest of developers to build it up, play with it  and debug it.

It may be a while before we see serious uptake of this framework, but I could use the lead time.

Posted in Programming, Web development | No Comments »

  • Recent Posts

    • New ProCheckUp ValidateRequest Bypass
    • Samurai Web Test Framework 0.1
    • Altering the Mac OS X Login Access Window Text
    • Summary on the State of Nmap
    • Android Security Team Says Hi

  • Archives

    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
    • December 2007
    • November 2007
    • October 2007
    • September 2007
    • August 2007
    • July 2007

  • Categories

    • Art
    • Books
    • Community
    • conferences
    • Hardware
    • Management
    • Operating Systems
    • Podcast
    • Programming
    • Projects
    • Security
    • Site News
    • Software
    • Testing
    • Uncategorized
    • Web development

  • Blogroll

    • Defcon 405
    • ha.ckers.org
    • Halvar Flake
    • OSVDB Blog
    • phed.org
    • Scott Berkun’s Blog

  • Tags

    .Net ASP.NET Beta Books browser buffer overflow C Community Compliance Concept conferences Credit Cards dc405 defcon Development exploit Future fuzzing hacking Linux malware Management Metasploit Microsoft oklahoma Open Source osvdb OS X Patterns PCI Perl Podcast Programming protocols Ruby secure coding Security Silverlight SQL Server Testing tools vulnerabilities vulnerability WordPress xss

Calculated Decision has Joomla! under the hood!

Podcast Powered by podPress (v8.8)