For an XPath injection framework, see the information about the SecurityQA
Toolbar in Chapter 1.
120 Hacking Exposed Web 2.0
Escape Data Before Insertion into XPath Queries
To prevent XPath attacks in .Net, you must know whether the XPath statement is using
single or double quotes as the string delimiter. If an escaping mismatch occurs, there is a
strong potential for security issues to arise. Keep this detail in mind when developing
.Net applications that use XPath as a data access method.
Microsoft has aggressively pushed XML as a technology and it is used heavily
throughout the .Net Framework. Hence, when reviewing .Net applications, you are
likely to encounter XML handling vulnerabilities. The developer advantages of the .Net
Framework can easily be turned into advantages for a dedicated adversary.
SQL Injection
SQL injection vulnerabilities involving .Net are a very real danger of which developers
are sometimes unaware. Many developers believe that using managed code will prevent
SQL injection vulnerabilities. This belief is false. As with the majority of data access libraries,
the .Net Framework does provide functionality that developers can use to mitigate
vulnerabilities.
Pages:
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236