[WEB SECURITY] Numeric SQL injection ASP.NET

Ryan Dewhurst ryandewhurst at gmail.com
Mon Apr 25 10:55:17 EDT 2011


Is the ViewState and EventValidation being URL encoded when being sent back
to the server?

What is the HTTP response you are getting?

Ryan Dewhurst

blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r


On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi at gmail.com>wrote:

> Hello guys,
>
> I am a beginner in web application Security, so I started to train on
> webgoat.i would like to make numeric SQL injection attack but in ASP.net.
> So I created a dropdownlist that retrieves the names of cities and a
> gridview for display!
> The problem is when I change the ID value with tamperdata, nothing happens.
> I look a bit and I think that's a problem with ViewState, so it's impossible
> to make this attack in ASP.net?
> how could circumvent this viewstate or  Disenable it for testing. Or any
> hint!
>
> Thank you !
>
>
> Best regards!
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110425/eedd8939/attachment-0003.html>


More information about the websecurity mailing list