Penetration Testing mailing list archives
Re: Injection attacks in ASPX/ASP.NET applications
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Mon, 01 Sep 2008 12:43:27 +0100
Serg B wrote:
I was under the impression that an SQL injection is a flaw based on individuals programming ability and not the language it self. To me, what you are saying sounds like: a car model X is crap because the driver crashed it into a tree.
.. by setting "autocruse" and letting go of the wheel to answer his phone.ASP.net is no more or less secure than almost any other server-side executable; almost invariably though, someone comes along trying to tout their (usually platform specific or proprietary) language du-jour as the most secure ever because.... when in fact it could possibly offer some security advantages over another language (less buffer overflows in standard library functions, for example) but you can still write insecure code in it more easily than secure code.
That said, a language that is inherently secure *is* possible, but nobody would ever use it as the limitations would be too great (no file system access under any circumstances, no IP connectivity other than via the query/response channel in the webserver, and so forth)
------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 02)
- <Possible follow-ups>
- Re: Injection attacks in ASPX/ASP.NET applications Morning Wood (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Serg B (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Krugger (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications David Howe (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Wong Yu Liang (Sep 02)
- RE: Injection attacks in ASPX/ASP.NET applications Pennington, Coby (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications silky (Sep 03)
- Re: Injection attacks in ASPX/ASP.NET applications Wagner Elias (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Jorge L. Vazquez (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications FF (Sep 02)
- Re: Injection attacks in ASPX/ASP.NET applications Marco Ivaldi (Sep 04)
- Re: Injection attacks in ASPX/ASP.NET applications Romain Gaucher (Sep 04)