Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 20
Guests Online: 20
Members Online: 0

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Computer General | Increasing Security

Author

Forbid JS-Injections in ASP.NET

Dunuin
Member

Your avatar

Posts: 10
Location:
Joined: 24.01.09
Rank:
Guest
Posted on 26-09-09 15:47
I found a site which uses ASP.NET and some users use JS-injections to steal datas from other users and the admins didn't fixed the problem for a month.

So my idea was to mail them a function which fixes the securityhole, but I'm not familiar with ASP.NET.

What is the best way to increase the security and forbid JS-Injections?
"<script></script>", "<script type="text/javascript"></script>" and "<script type="text/javascript" src="somesite/cookiestealer,js"></script>" is not filtered.

Edit:
I didn't test it, but I think iframes are also not filtered like other HTML tags.


www.hellboundhackers.org/sig/r/37148.png

Edited by Dunuin on 26-09-09 15:53
Author

RE: Forbid JS-Injections in ASP.NET


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-09-09 16:08
just don't do it, not worth it, they might fix it over time and if not then it's still not your business to make a creepy script which might mess up their entire site.


Author

RE: Forbid JS-Injections in ASP.NET


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-09-09 23:44
The easiest solution for corporate-driven sites is deploying a WAF and/or IDS. I encourage you mail the company you found to be vulnerable, and explain, in layman's terms, that their website might pose a possible security threat to them.
Author

RE: Forbid JS-Injections in ASP.NET


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-11-09 20:45
WAFs are a great way to help mitigate risk inherent in applications. For IIS (as they are running ASP) you can use an ISAPI filter called WebKnight. For those of you familiar with URLScan, WebKnight has all the functionality provided in URLScan plus quite a few additional features. Tuning it is pretty simple, it comes with an .exe build the xml configuration and most of it is check-boxes.

It's important to note tho, that while WAFs are good to have as part of an overall security posture, they do not replace penetration tests and code reviews.