HellBound Hackers
Join us at IRC!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Thursday, May 24, 2012
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Additional:
Shop
Learn
Communicate
Submit
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Interact
Other
HellBoundHackers Executive:
HellBoundHackers Leisure:
Members Online
Total Online: 38
Web Spiders: 15
Guests Online: 33
Members Online: 5
Jet1992, Mordak, mongel88, Arabian, Random Guy

Registered Members: 70180
Newest Member: RAWRFEARME744798
Latest Articles
View Thread

HellBound Hackers | Computer General | Increasing Security
Author

Forbid JS-Injections in ASP.NET
Dunuin
Member

Posts: 10
Location:
Joined: 24.01.09
Rank: God
Posted on 26-09-09 15:47
I found a site which uses ASP.NET and some users use JS-injections to steal datas from other users and the admins didn't fixed the problem for a month.

So my idea was to mail them a function which fixes the securityhole, but I'm not familiar with ASP.NET.

What is the best way to increase the security and forbid JS-Injections?
"<scblockedript></scblockedript>", "<scblockedript type="text/javascblockedript"></scblockedript>" and "<scblockedript type="text/javascblockedript" src="somesite/cookiestealer,js"></scblockedript>" is not filtered.

Edit:
I didn't test it, but I think iframes are also not filtered like other HTML tags.



Edited by Dunuin on 26-09-09 15:53
Author

RE: Forbid JS-Injections in ASP.NET
f16e7
Banned

Posts: 89
Location:
Joined: 21.09.09
Rank: Apprentice
Warn Level: 100
Posted on 26-09-09 23:44
The easiest solution for corporate-driven sites is deploying a WAF and/or IDS. I encourage you mail the company you found to be vulnerable, and explain, in layman's terms, that their website might pose a possible security threat to them.
Author

RE: Forbid JS-Injections in ASP.NET
only_samurai
[IRC Rockstar]

Posts: 984
Location: idling in some random irc channel
Joined: 18.08.06
Rank: .|unranked|.
Posted on 27-11-09 20:45
WAFs are a great way to help mitigate risk inherent in applications. For IIS (as they are running ASP) you can use an ISAPI filter called WebKnight. For those of you familiar with URLScan, WebKnight has all the functionality provided in URLScan plus quite a few additional features. Tuning it is pretty simple, it comes with an .exe build the xml configuration and most of it is check-boxes.

It's important to note tho, that while WAFs are good to have as part of an overall security posture, they do not replace penetration tests and code reviews.

The problem with a fool-proof system, is eliminating the fool.

"His name is Cereal Killer...Like Fruitloops."
If you cut me, I bleed binary.

http://blog.psych0tik.net/
http://blog.psych0tik.net
Guest
Username

Password

Remember Me


Bookmark This Page
Affiliates
Adverts

 

 

Links

Anime Wallpaper Site
By using, viewing or obtaining any information contained on this site, you agree to the disclaimer.

© HellBound Hackers 2008- 2009. Since 3rd December 2004.

20605065 Unique Visits

Powered by HBH-Fusion