[WEB SECURITY] Numeric SQL injection ASP.NET

Oussama Gabi oussama.gabi at gmail.com
Mon Apr 25 11:38:22 EDT 2011


Yes, i've disabled the enableValidation, for the ViewState i added
EnableViewState=flase in the dropdownList without any result.

The server response:

Status=OK - 200
Server=ASP.NET Development Server/10.0.0.0
Date=Mon, 25 Apr 2011 16:22:39 GMT
X-AspNet-Version=2.0.50727
Cache-Control=private
Content-Type=text/html; charset=utf-8
Content-Length=1331
Connection=Close


Thank you very much


2011/4/25 Ryan Dewhurst <ryandewhurst at gmail.com>

> Is the ViewState and EventValidation being URL encoded when being sent back
> to the server?
>
> What is the HTTP response you are getting?
>


>
> Ryan Dewhurst
>
> blog www.ethicalhack3r.co.uk
> projects www.dvwa.co.uk | www.webwordcount.com
> twitter www.twitter.com/ethicalhack3r
>
>
> On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi at gmail.com>wrote:
>
>> Hello guys,
>>
>> I am a beginner in web application Security, so I started to train on
>> webgoat.i would like to make numeric SQL injection attack but in ASP.net.
>> So I created a dropdownlist that retrieves the names of cities and a
>> gridview for display!
>> The problem is when I change the ID value with tamperdata, nothing
>> happens. I look a bit and I think that's a problem with ViewState, so it's
>> impossible to make this attack in ASP.net?
>> how could circumvent this viewstate or  Disenable it for testing. Or any
>> hint!
>>
>> Thank you !
>>
>>
>> Best regards!
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110425/586bd29f/attachment-0003.html>


More information about the websecurity mailing list