[WEB SECURITY] .NET and filter evasions

Arian J. Evans arian.evans at anachronic.com
Mon Apr 28 21:28:55 EDT 2008


Every months someone emails me about
.NET filter evasions based upon my blog
post, and I have to answer vaguely. Truth
is it has been like 3 years since I worked
on the 1.1 Request.Validator and I barely
remember much of how it worked (see
the regex on my blog....it's a mess):

I saw this posted recently somewhere;
apology if double-posted to the lists:

Michael Eddington has a nice writeup on
the .NET 2.0 request validator:

http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/

It's a nice short read.

I think we can all agree that Blacklists
are tough to implement correctly, unless
that's all you do. (e.g.-an IPS)

As an aside: I may have some new filter
evasions for you shortly too.

Now that I don't travel so much, you'd think
I'd research more, but alas: Age is making
pavement and motorcycles IRL much more
attractive. The shame,

-- 
-- 
Arian Evans

I spend most of my money on motorcycles, mistresses, and martinis. The rest
of it I squander.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080428/6a44069a/attachment.html>


More information about the websecurity mailing list