[Dailydave] Does .aspx Protect Against Sql Injection? Not all field right? Any way to bypass it? Cookie SQL Injections?
Danett song
danett18 at yahoo.com.br
Tue Jan 30 21:33:49 EST 2007
Hi guys,
Is there any new protection mechanism configured by default in .NET framework (or maybe IIS6) wich make .aspx files not vulnerable to SQL Injection? If yes, is there any document that show what it protect against ? Someone aware of evasion methods to bypass it (a document link is welcome)?
Also, I think it doesn't check/filter session values, I made a test setting the "Cookie" value with some chars like quote (as used in sql injection tests via url) and I got this error from the application (showing the server is using a SQL Server):
invalid character value for cast specification
I never tryed to exploit a sql injection in cookie values and never had seen this error before (which appear to be a cast conversion error).... any tip for me? Any document (link) ?
Thank you a lot,
Regards
__________________________________________________
Fale com seus amigos de graça com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070130/9a3e14d9/attachment.htm
More information about the Dailydave
mailing list