WebApp Sec mailing list archives
Re: ASP.NET default input validation
From: pagvac <unknown.pentester () gmail com>
Date: Thu, 5 Apr 2007 20:14:22 +0100
The following should hopefully help you: http://www.procheckup.com/Vulner_PR0703.php On 3/22/07, Mark K. Murdock <mark.murdock () lanternsec com> wrote:
Has anyone identified a way to pass a "<script" string through the default form/cookie/query validation in ASP.NET 2.0? I'm referring to the validation performed on input unless ValidateRequest="false" is defined in the page directive, web.config, or machine.config file. We've tried a variety of encodings but haven't found one yet that doesn't throw an HttpRequestValidationException. Thanks, Mark ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008fHP --------------------------------------------------------------------------
-- pagvac [http://gnucitizen.org, http://ikwt.com/] ------------------------------------------------------------------------- Sponsored by: WatchfireIt's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF --------------------------------------------------------------------------
Current thread:
- Re: ASP.NET default input validation pagvac (Apr 05)