Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASP.NET: Hacking

Posted on 2009-04-13
6
Medium Priority
?
244 Views
Last Modified: 2012-05-06
Hi,
At First I want to asure the reader of this thread that I do not have bad intentions. I am willing to learn for better protection of my programs. I read enough material on security and many threats around the net but I practically don't know how they work and I would like to know about the "field" side of the things. Can some one tell me where I can get documentation about how to make a memory overrun on an ASP.NET page for instance? How can to desable and work around Javascript? Or any other mere attack?
0
Comment
Question by:karakav
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 15

Expert Comment

by:oobayly
ID: 24130908
You shouldn't have to worry about buffer overflows as .Net is managed code. Unless of course you've got unsafe code on your website:
http://stackoverflow.com/questions/156445/is-buffer-overflowoverrun-possible-in-completely-managed-aspnet-c-web-applicati

As long as you validate all user input on the server (don't rely on client-side validation) and make sure that any client input that is written back on a page is santised there shouldn't be any major issues.
In fact as of v.2, ASP.Net will by default throw an exception if the user attempts to post data which looks like html.

Finally, if you're using a database backend, make sure you validate all inputs, and use parameters in the queries, not inlining the values in the SQL queries.
0
 
LVL 4

Author Comment

by:karakav
ID: 24131286
I had that whether you set the maximum number of characters a field cannot bypass, there is always a way to bypass that.
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24131374
If you mean by specifying the maxlength attribute for a text input form element, yes it can be ignored, and you have to test the length of the value passed. However this isn't the same as a buffer overflow.
0
Build and deliver software with DevOps

A digital transformation requires faster time to market, shorter software development lifecycles, and the ability to adapt rapidly to changing customer demands. DevOps provides the solution.

 
LVL 4

Author Comment

by:karakav
ID: 24135385
What so ever may concern was about general security issues of ASP.NET  and how they can be avoided. And for that, I need to produce them so that after correctling them I can myself notice that they cannot occur anymore.
0
 
LVL 15

Accepted Solution

by:
oobayly earned 2000 total points
ID: 24141488
In that case you're going to have to look through all the vulnerabilities known, ie on Secunia and write exploits from the information given.
The problem is that unless you're a security guru, you'll encounter a lot of difficulty doing this. Basically, we (as developers) have to rely on the fact that Microsoft will release patches for vulnerabilities in their poducts. If they don't release an update we have to live with that.
Of course you can go the open source route, and audit the code yourself.

The point is that even if you do find vulnerabilities, how are you going fix them? You're talking about the IIS stack and the .Net Framework here. Not your own code.

Think about it this way, when you get on an aeroplane, you don't test it yourself to ensure it safe. You have to believe on the manufacturer and the airline assurances that it's safe. If you don't believe them, then don't fly.
0
 
LVL 4

Author Closing Comment

by:karakav
ID: 31569559
Yeah, this is a nice arguement. Thanks
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question