IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [asp.net]

ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services.

ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. The ASP.NET SOAP extension framework allows ASP.NET components to process SOAP messages.

225 questions
9
votes
4 answers

Worthwhile from security standpoint to limit database server user for ASP.NET website to only EXECUTE on stored procedures?

I know that obviously we must avoid sql injection attacks through user input validation and parametrized queries. There's already a firewall in place on the database server to limit remote connections to be accepted only from the web server. …
Peter Smith
  • 360
  • 1
  • 9
9
votes
2 answers

C# Image.FromStream is that secure?

after reading the data from the request as Stream i needed to convert it to Image so i used this Method: Stream inputStream = HttpContext.Current.Request.InputStream; Image img = Image.FromStream(inputStream) so while im unable to know what was in…
Yaniv
  • 191
  • 1
  • 2
8
votes
2 answers

Are userid and password needed in order to pentest a website?

We are a company that has many web applications developed in ASP.NET. Our Internet service provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them credentials (read-only access) for…
Delmonte
  • 423
  • 1
  • 4
  • 7
8
votes
1 answer

How secure are the default ASP.NET membership and role providers for Sql Server?

I have a very basic idea of how these work. I've used them many times when I needed a user management system rather then writing my own. But should I use these for a production system? Would windows user accounts actually provide more security…
Peter Smith
  • 360
  • 1
  • 9
8
votes
3 answers

Verify a website user is behind corporate firewall?

We have a public ecommerce website hosted at our datacenter onsite. For people who are within the corporate firewall hitting the website I want to display profiling information about the request of the current page. This would include sql so we want…
Paul Lemke
  • 181
  • 2
8
votes
1 answer

ASP.NET HTTP Response Splitting Attack

By default ASP.NET checks for HTTP Response Splitting attack when you do…
Paul Podlipensky
  • 2,837
  • 4
  • 21
  • 25
7
votes
3 answers

How to encrypt all existing customer passwords

I work for an online shop and since I worked here we have stored customer passwords in plaintext. I joined the company as a data inputter and when I discovered that we did this I flagged it up with management but they didn't seem interested or…
Mike
  • 87
  • 3
7
votes
1 answer

How should I mitigate the XSS vulnerabilities in KnockoutJS described at mustache-security?

The site Mustache-Security describes XSS vulnerabilities in KnockoutJS... The vulnerabilities come from the use of eval (or some equivalent) to convert text in the data-bind attribute to executable script. Most of the examples show attacks where…
scott stone
  • 173
  • 1
  • 4
7
votes
1 answer

Web Applications terminate strings on null-byte

I have just been doing some penetration testing on a site, and I have noticed (and I have noticed before but now seems like a good point to bring it up) that putting a null byte in the search string actually terminates the string there. That is fine…
DarkMantis
  • 746
  • 1
  • 7
  • 19
7
votes
2 answers

ASP.NET vulnerability CVE-2008-5100 (assembly signing bypass): is there a fix?

The short version of this question is:  Is there a fix or mitigation for the ASP.NET vulnerability CVE-2008-5100, which allows attackers to bypass assembly digital signature checking? I'll give some background.  I apologize in advance for the…
Mark R
  • 173
  • 1
  • 1
  • 5
6
votes
1 answer

Does encrypting a setting in web.config actually provide security?

Does encrypting a value in the web.config file actually provide any real protection? It seems to me that any web app can read that setting. Yes that's more work than just reading the web.config file, but it's not a big difference if you have control…
David Thielen
  • 383
  • 1
  • 4
  • 13
6
votes
1 answer

ASP.NET Web API and potential XSS

I'm wondering if my ASP.NET Web API had an XSS vulnerability as my controller didn't have a method to handle the default GET call. Without the GET method being handled in the code a call to /api/mycontroller/? would…
Boggin
  • 205
  • 1
  • 3
  • 6
6
votes
4 answers

How to stop other websites from sending cross domain AJAX requests?

From two different applications, I was able to send cross-origin requests. Though the browser returns a "cross origin" error my server is still receiving and executing the request. For example, from a remote site I can invoke cross domain request…
user960567
  • 2,461
  • 4
  • 16
  • 16
6
votes
1 answer

Pen Testing ASP.NET application with Backtrack

We have developed an ASP.NET Based Enterprise Application which is is soon to be released. Now, we are concerned about the security aspects of the application. I've been looking into Backtrack 5 and visited a lot of websites about pen testing too…
N.p Subedi
  • 161
  • 1
  • 4
6
votes
1 answer

Secure query string parameters

I have an application which use the Thick box jQuery component to open a popup page . And I pass my parameters in query string like this :
Anyname Donotcare
  • 265
  • 2
  • 8
1
2
3
14 15