From: Jeff Bryner (jbryner1@yahoo.com)
Date: Wed Mar 24 2004 - 18:59:03 EST
--- Frank Knobbe wrote:
> However, even if ADODB and ODBC functions filter quotes, they do not
> filter <, >, and other HTML entities, causing XSS issues all over the
> place. So, saying ASP.NET does input validation seems to be a
> misleading
> statement.
ADODB doesn't but .net 1.1 does filter for CSS input. Code up a basic
page and enter <scrip in a text box and you'll trigger a
HttpRequestValidationException
Here's the closest 'white papers' I've found on the input validation:
Inside the 'new' validate:
http://weblogs.asp.net/vga/archive/2003/05/02/6329.aspx
(Interesting to note what it doesn't check: Headers and
ServerVariables)
Flaw in it from last year:
http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx
http://www.securityfocus.com/bid/8562/discussion
What's not to like about default css validation:
http://www.mostlylucid.co.uk/posts/864.aspx
How to code your own validator in .net 1.0:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/scriptingprotection.asp
=====
Jeff
-----------------------
You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!?
- Justin Simoni
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT