From: Joel Friedman (jfriedman@datapipe.com)
Date: Wed Mar 24 2004 - 20:53:20 EST
Here is an excerpted copy of an email correspondence I had with Dinis
Cruz,
.Net Security Consultant
Thank you for interest in our Asp.Net security Research. I have compiled
most of our Asp.Net content (including the security guides) in an
unpublished paper called "Undocumented Asp.Net Security" (110 pages):
...
* You can download it from here:
http://www.ddplus.net/projects/Undocumented_ASP.NET_Security_V0.91.zip
Because you need to ensure the security and resilience of your web
servers, I would call your attention to the Asp.Net Security Analyzer
(ANSA) web application, created and developed by us.
ANSA has been donated to the OWASP (Open Web Application Security
Project), and we are now active members on their DotNet developed
efforts.
* Main OWASP DotNet page: http://www.owasp.org/dotnet
...
Joel Friedman, CISSP
-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet@sequoianet.com]
Sent: Wednesday, March 24, 2004 2:48 PM
To: pen-test@securityfocus.com
Subject: Pen-tester's analysis of .NET security?
Is anyone aware of a whitepaper or analysis of the security features
(and weaknesses?) of Microsoft's .NET platform for web applications? A
number of interesting features, such as input validation and session
tracking, are built into .NET, and I'd be interested to hear if anyone
has kicked it around much.
Please note, I am *not* interested in references to Microsoft
documentation, developer web sites, or conventional information sources,
but rather information from the viewpoint of a pen-tester doing web
application security analysis work.
Thank you in advance,
Mark Lachniet
------------------------------------------------------------------------
--- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT