Lost in .NET Code

Developing software in .NET, Security and other ramblings.

SQL Injections ASP

Tuesday, November 4, 2008

http://blogs.technet.com/neilcar/archive/2008/10/31/sql-injection-hijinks.aspx

Neil Capenter shows another example of why ASP and using Black list is a really bad idea.

This is really interesting because it shows
"ASP drops a percent sign from the query string if it isn't followed by two valid hex characters(0-9, A-F) when it actually interprets it via Request.QueryString. "

Neil proves this in a test page it shows that the earlier attacks are again being updated to go past filters. If companies have patched a fix over this type of hole then they will be facing a more complete attack soon.

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1697

The new version of URL scan specifically checks for this and is worth having in your toolkit.

Labels: ,

posted by James Knowles at 10:51 PM

0 Comments:

Post a Comment

<< Home


Subscribe in a reader


Blogs I read

Tristan Phillips
Sarah Blow (.Net Mobile)
Mike Taulty (MS DPE)
Ian Griffths (WPF)
Jack Greenfield


Useful Links

Fircroft Trust Ltd
Unwind Software Ltd


Archives

December 2006   January 2007   February 2007   March 2007   April 2007   May 2007   June 2007   October 2007   November 2007   February 2008   April 2008   May 2008   June 2008   July 2008   August 2008   October 2008   November 2008  


Fun and Games


 

This page is powered by Blogger. Isn't yours?