RE: Does .aspx protect against sql injection?Any way to bypass it? Cookie SQL Injections?

[Danett song <danett18 () yahoo com br>]

Hi Juan and all members,

It's very intersting. But all this checks are made by
default in ISS 6.0? If yes, who made it (a URLScan
build-in and pre configured in it) ?

Anyone more aware of other evasion techniques used
against .NET?

Someone suggest me a book or article teaching .NET web
applications flaws (a .net book for pen-testers) ?

Thank you.

Regards

--- "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon () ge com> escreveu:

> There are ways to bypass this protection, I was
> about to report it when I realized someone already
> did in Russia a few days before :(
>
> Here is the link
> http://www.securityfocus.com/archive/1/390751
>
> It is kind of hard to exploit since default encoding
> configuration should be changed. But still doable, I
> found it in one application :)
>
> Regards,
> Juan Carlos Calderon
> Application Security Program
> SCABBA Team Leader
>
> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of
> Danett song
> Sent: Martes, 06 de Febrero de 2007 07:03 p.m.
> To: webappsec () securityfocus com
> Subject: Does .aspx protect against sql
> injection?Any way to bypass it? Cookie SQL
> Injections?
>
>
>  Hi guys,
>
> I looked at some microsoft documentation (
http://www.microsoft.com/downloads/details.aspx?FamilyID=e9c4bfaa-af88-4aa5-88d4-0dea898c31b9
> ), and appear that .NET framework prevent a bunch of
> web attack classes.
>
> Also appear that this security enhancement is in
> .NET framework, providing  programming functions and
> features that help to make .apsx applications more
> safe, however many parts yet are responsible from
> the developer, like input valudation. So in the
> reality doesn't appear that .NET framework provide a
> robust barrier to protect against this attacks (like
> a web application firewalll, example F5 web
> firewall), i'm right? Even cause they suggest to use
> aditional IISLockdown, URLscan, ISAPI filter, etc.
>
> My main doubt is, is there any evasion methods used
> to bypass this common chcecks provided from .NET
> framework to difficult SQL injections, XSS, etc?
>
> I made some tests in a new lab machine installed
> with Windows 2003, SQL server and IIS. All inputed
> were well validaded, so i were not able to abuse of
> any sql injection or xss (maybe it's in the .aspx
> code that were well wrote? Maybe in the .NET
> framework that prevent some attacks like a web
> application firewall?
> Maybe a IISLockdown + URLScan + ISAPI filter),
> however I think it doesn't check/filter session
> values, I made a test setting the "Cookie" value
> with some chars like quote (as used in sql injection
> tests via url) and I got this error from the
> application (showing the server is using a SQL
> Server):
>
> invalid character value for cast specification
>
> I never tryed to exploit a sql injection in cookie
> values and never had seen this error before (which
> appear to be a cast conversion error).... any tip
> for me? Any document (link) ?
>
> Also I know (cause the server is in my lab) that
> some this filters in input validation are been made
> by the .apsx code, cause the developer made it. But
> a attacker is able to remotly recoganize who is
> making this checks (if it's in the .aspx code that
> were well wrote? If in the .NET framework that
> prevent some attacks like a web application
> firewall? If is a IISLockdown + URLScan + ISAPI
> filter)? How?
>
> thank you,
>
> Cheers
>
>
> __________________________________________________
> Fale com seus amigos  de graça com o novo Yahoo!
> Messenger http://br.messenger.yahoo.com/ 
-------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Cross-Site Scripting (XSS) is one of the most common
> application-level attacks that hackers use to sneak
> into web applications today. This whitepaper will
> discuss how traditional XSS attacks are performed,
> how to secure your site against these attacks and
> check if your site is protected. 
> Cross-Site Scripting Explained - Download this
> whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
>
--------------------------------------------------------------------------
>
-------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Cross-Site Scripting (XSS) is one of the most common
> application-level
> attacks that hackers use to sneak into web
> applications today. This
> whitepaper will discuss how traditional XSS attacks
> are performed, how to
> secure your site against these attacks and check if
> your site is protected.
> Cross-Site Scripting Explained - Download this
> whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
>
--------------------------------------------------------------------------
>


__________________________________________________
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional XSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
--------------------------------------------------------------------------