Dailydave mailing list archives

Does .aspx Protect Against Sql Injection? Not all field right? Any way to bypass it? Cookie SQL Injections?

From: Danett song <danett18 () yahoo com br>
Date: Tue, 30 Jan 2007 23:33:49 -0300 (ART)

      Hi guys,
  
  Is there any new protection mechanism configured  by default in .NET framework (or maybe IIS6) wich make .aspx files 
not  vulnerable to SQL Injection? If yes, is there any document that show  what it protect against ? Someone aware of 
evasion methods to bypass it  (a document link is welcome)? 
  
  Also,  I think it doesn't check/filter session values, I made a test setting  the "Cookie" value with some chars like 
quote (as used in sql injection  tests via url) and I got this error from the application (showing the  server is using 
a SQL Server):
  
    invalid character value for cast specification
  
  I  never tryed to exploit a sql injection in cookie values and never had  seen this error before (which appear to be 
a cast conversion error)....  any tip for me? Any document (link) ?
  
  Thank you a lot,
  
  Regards
 __________________________________________________
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Does .aspx Protect Against Sql Injection? Not all field right? Any way to bypass it? Cookie SQL Injections? Danett song (Jan 30)