.NET is Hell (subtitle: Microsoft warning!)
-
I get an email whenever there's an error on my webapps. We recently initiated a service to do Red-Siren testing; e.g., testing for any security issues. Got an error message today. Of most interest, and danged funny at that, is the unedited, verbatim "Error Message" from Microsoft's lovely .NET Framework ... (emphasis added) URL: https : / / www.RedactedWebSite.com /SomeWebApp/ThatLoginPage.aspx?ReturnUrl=%2fSomeWebApp%2fDefault.aspx%3faction%3dppr&action=ppr%3CScript%20%3Ealert(%22HelloSIG%22)%3C/Script%3E Error Date: [redacted] Error Message: A potentially dangerous Request.QueryString value was detected from the client (action="ppr<Script >alert("Hell..." Albeit a little late (going on 7+ years of .NET programming...), thanks for the warning Microsoft!
-
I get an email whenever there's an error on my webapps. We recently initiated a service to do Red-Siren testing; e.g., testing for any security issues. Got an error message today. Of most interest, and danged funny at that, is the unedited, verbatim "Error Message" from Microsoft's lovely .NET Framework ... (emphasis added) URL: https : / / www.RedactedWebSite.com /SomeWebApp/ThatLoginPage.aspx?ReturnUrl=%2fSomeWebApp%2fDefault.aspx%3faction%3dppr&action=ppr%3CScript%20%3Ealert(%22HelloSIG%22)%3C/Script%3E Error Date: [redacted] Error Message: A potentially dangerous Request.QueryString value was detected from the client (action="ppr<Script >alert("Hell..." Albeit a little late (going on 7+ years of .NET programming...), thanks for the warning Microsoft!
Its not .NET's fault, its actually a XSS attack, that the tool is testing for. What the tool is saying, is that you should validate the input before that URL has a chance to be generated. You can cause a lot of problem for your users if you have XSS vulnerabilities, its what virus writers use to spread the virus over the internet. You should raise this as a serious bug with the original developers.
-
I get an email whenever there's an error on my webapps. We recently initiated a service to do Red-Siren testing; e.g., testing for any security issues. Got an error message today. Of most interest, and danged funny at that, is the unedited, verbatim "Error Message" from Microsoft's lovely .NET Framework ... (emphasis added) URL: https : / / www.RedactedWebSite.com /SomeWebApp/ThatLoginPage.aspx?ReturnUrl=%2fSomeWebApp%2fDefault.aspx%3faction%3dppr&action=ppr%3CScript%20%3Ealert(%22HelloSIG%22)%3C/Script%3E Error Date: [redacted] Error Message: A potentially dangerous Request.QueryString value was detected from the client (action="ppr<Script >alert("Hell..." Albeit a little late (going on 7+ years of .NET programming...), thanks for the warning Microsoft!
-
Its not .NET's fault, its actually a XSS attack, that the tool is testing for. What the tool is saying, is that you should validate the input before that URL has a chance to be generated. You can cause a lot of problem for your users if you have XSS vulnerabilities, its what virus writers use to spread the virus over the internet. You should raise this as a serious bug with the original developers.
-
Ziggy - if the guy can't even distinguish whether this is a .NET problem or a scripting problem - it's unlikely he/she can/will be able to protect his/her apps/enterprise he/she is working for.
dev
Agreed. However teaching people what that error message actually means, and what he needs to do to avoid those errors benefits all of us. XSS is possible in this site as well (example is this), so its not a common problem that every developer knows about.
-
Agreed. However teaching people what that error message actually means, and what he needs to do to avoid those errors benefits all of us. XSS is possible in this site as well (example is this), so its not a common problem that every developer knows about.
-
Also they actually call this type of testing, Pen[etration] testing, never heard of Red-Siren testing.
-
I get an email whenever there's an error on my webapps. We recently initiated a service to do Red-Siren testing; e.g., testing for any security issues. Got an error message today. Of most interest, and danged funny at that, is the unedited, verbatim "Error Message" from Microsoft's lovely .NET Framework ... (emphasis added) URL: https : / / www.RedactedWebSite.com /SomeWebApp/ThatLoginPage.aspx?ReturnUrl=%2fSomeWebApp%2fDefault.aspx%3faction%3dppr&action=ppr%3CScript%20%3Ealert(%22HelloSIG%22)%3C/Script%3E Error Date: [redacted] Error Message: A potentially dangerous Request.QueryString value was detected from the client (action="ppr<Script >alert("Hell..." Albeit a little late (going on 7+ years of .NET programming...), thanks for the warning Microsoft!
Why is this double-posted?
-
Why is this double-posted?
Because I inadvertently doubled my espresso yesterday ... :-D
-
Ziggy - if the guy can't even distinguish whether this is a .NET problem or a scripting problem - it's unlikely he/she can/will be able to protect his/her apps/enterprise he/she is working for.
dev
People, get a clue!! It's a humor post, not of "Hey, I dunno what is happening here.". I am 100% knowing this is a scripting "error" (XSS) as such that the Pen(etration) / Red-Siren test has resulted in and not that of a ".NET error". The post is a jab at Microsoft .NET. Specifically, .NET is (like) HELL (figuratively speaking) to work in sometimes (... actually, much more than "sometimes"!!). :wtf: If some don't agree of the humor-angle, no apologies are offered for the faining upon anyone's sacred .NET altar. :wtf:
-
Also they actually call this type of testing, Pen[etration] testing, never heard of Red-Siren testing.
Red-Siren testing is something I implemented at several Fortune 500 companies and many smaller companies. It's testing that seeks to reveal critical security issues in an OS, system, web app, application, or the occasional contract developer that picks their nose and doesn't dispose of the content upon their finger but continues typing ... all of which, when discovered, a "red-siren" type warning (akin to an actual red emergency light and siren on an emergency vehicle) is generated.
-
People, get a clue!! It's a humor post, not of "Hey, I dunno what is happening here.". I am 100% knowing this is a scripting "error" (XSS) as such that the Pen(etration) / Red-Siren test has resulted in and not that of a ".NET error". The post is a jab at Microsoft .NET. Specifically, .NET is (like) HELL (figuratively speaking) to work in sometimes (... actually, much more than "sometimes"!!). :wtf: If some don't agree of the humor-angle, no apologies are offered for the faining upon anyone's sacred .NET altar. :wtf: