[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] False Positives with .NET's Request Validation?

From: "James Strassburg" <JStrassburg@xxxxxxxxxxx>
Subject: RE: [WEB SECURITY] False Positives with .NET's Request Validation?
Date: Sat, 4 Aug 2007 20:02:13 -0500

I have several web applications implementing salted-hash logons with the
salted-hash being computed on the client before the post-back.  The
post-back to the server of the salted-hash as a Base64 encoded string
tends to trigger request validation every so often.  I don't have good
metrics on this but it is rare.  I haven't dug yet to see what
characters or character sequence in the Base64 encoded string was
causing the trigger.

James Strassburg

-----Original Message-----
From: David Felio [mailto:david@xxxxxxx] 
Sent: Monday, July 30, 2007 2:12 PM
To: Web Security
Subject: [WEB SECURITY] False Positives with .NET's Request Validation?

After years of being in the LAMP stack, I'm now having to turn my
attention to some .NET development. One of the items I am looking at is
.NET's built-in request validation. I know there have been several
examples of how to bypass it and I have already told our developers to
not rely on it, but I am now more interested in false positives than
false negatives. Does anyone have any stats on how accurate the Request
Validation is with regard to false positives? Is having it on going to
end up being a thorn in my side, or is it tuned enough that false
positives are exceedingly rare? (I realize this last question is
dependent on the data expected. In the particular application I am
concerned about at the moment, there should be no HTML, XML, JS, etc.  
In fact, I can't think of an instance where a < or a > would be supplied
during intended use. HTML entities, however, will be
submitted.)

Thanks.

David

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: Re: [WEB SECURITY] False Positives with .NET's Request Validation?
Next by Date: Re: [WEB SECURITY] List slowdown during blackhat
Previous by thread: Re: [WEB SECURITY] False Positives with .NET's Request Validation?
Next by thread: Re: [WEB SECURITY] List slowdown during blackhat
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site