Re: ASP.NET default input validation

[pagvac <unknown.pentester () gmail com>]

The following should hopefully help you:

http://www.procheckup.com/Vulner_PR0703.php

On 3/22/07, Mark K. Murdock <mark.murdock () lanternsec com> wrote:
> Has anyone identified a way to pass a "<script" string through the
> default form/cookie/query validation in ASP.NET 2.0?  I'm referring to
> the validation performed on input unless ValidateRequest="false" is
> defined in the page directive, web.config, or machine.config file.
> We've tried a variety of encodings but haven't found one yet that
> doesn't throw an HttpRequestValidationException.
>
> Thanks,
> Mark
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire was recently named the worldwide market leader in Web
> application security assessment tools by both Gartner and IDC. Download a
> free trial of AppScan today and see why more customers choose AppScan
> then any other solution.
>
> https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008fHP
> --------------------------------------------------------------------------


--
pagvac
[http://gnucitizen.org, http://ikwt.com/]

-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's 
because hackers know to exploit weaknesses in web applications. 
Traditional approaches to securing these assets no longer apply. Download 
the "Addressing Challenges in Application Security" whitepaper today, 
and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF
--------------------------------------------------------------------------