[WEB SECURITY] Overcoming IIS library
steve jensen
sjensen1207 at hotmail.com
Fri Feb 23 20:16:50 EST 2007
The ValidateString method actually calls the System.Web.CrossSiteScriptingValidation class which consists of 5 separate validation functions.
It's a pretty solid class, as it filters most all types of xss related attacks. A vulnerability was logged back in Oct. 2006, but it was associated more with the encoding of the page, rather then an actual issue of the input validation.
The details of the CrossSiteScriptingValidation class and it's associated functions can be found at http://www.mansiononmain.com/CrossSiteScripting_Class.txt
> Date: Thu, 22 Feb 2007 20:35:46 -0600> From: whitehatguru at gmail.com> To: websecurity at webappsec.org> Subject: [WEB SECURITY] Overcoming IIS library> > I am pen testing an IIS server that appears to use a library that> includes this call System.Web.HttpRequest.ValidateString.> It is catching most of my attacks. Is there a known way to get around> that particular library?> Server returns the page using UTF-8 and I haven't found a way to get a> different encoding.> > Mike> > ----------------------------------------------------------------------------> Join us on IRC: irc.freenode.net #webappsec> > The Web Security Mailing List: > http://www.webappsec.org/lists/websecurity/> > The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]>
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070223/a8f70f34/attachment.html>
More information about the websecurity
mailing list