[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] .NET and filter evasions

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] .NET and filter evasions
Date: Mon, 28 Apr 2008 18:28:55 -0700

------=_Part_12778_11435421.1209432535981
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Every months someone emails me about
.NET filter evasions based upon my blog
post, and I have to answer vaguely. Truth
is it has been like 3 years since I worked
on the 1.1 Request.Validator and I barely
remember much of how it worked (see
the regex on my blog....it's a mess):

I saw this posted recently somewhere;
apology if double-posted to the lists:

Michael Eddington has a nice writeup on
the .NET 2.0 request validator:

http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/

It's a nice short read.

I think we can all agree that Blacklists
are tough to implement correctly, unless
that's all you do. (e.g.-an IPS)

As an aside: I may have some new filter
evasions for you shortly too.

Now that I don't travel so much, you'd think
I'd research more, but alas: Age is making
pavement and motorcycles IRL much more
attractive. The shame,

-- 
-- 
Arian Evans

I spend most of my money on motorcycles, mistresses, and martinis. The rest
of it I squander.

------=_Part_12778_11435421.1209432535981
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Every months someone emails me about<br>.NET filter evasions based upon my blog<br>post, and I have to answer vaguely. Truth<br>is it has been like 3 years since I worked<br>on the 1.1 Request.Validator and I barely<br>remember much of how it worked (see<br>

the regex on my blog....it&#39;s a mess):<br><br>I saw this posted recently somewhere;<br>apology if double-posted to the lists:<br><br>Michael Eddington has a nice writeup on<br>the .NET 2.0 request validator:<br><br><a href="http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/"; target="_blank">http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/</a><br>

<br>It&#39;s a nice short read.<br><br>I think we can all agree that Blacklists<br>are tough to implement correctly, unless<br>that&#39;s all you do. (e.g.-an IPS)<br><br>As an aside: I may have some new filter<br>evasions for you shortly too.<br>
<br>Now that I don&#39;t travel so much, you&#39;d think<br>I&#39;d research more, but alas: Age is making<br>pavement and motorcycles IRL much more<br>attractive. The shame,<br><br>-- <br>-- <br>Arian Evans<br><br>I spend most of my money on motorcycles, mistresses, and martinis. The rest of it I squander.<br>

------=_Part_12778_11435421.1209432535981--

Prev by Date: RE: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9. Modest proposal...
Next by Date: RE: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9
Previous by thread: RE: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9. Modest proposal...
Next by thread: AW: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site