Even though
ASP.Net will handle encoding of new items, it does not mean that values in a Drop-
DownList may be safely inserted directly into other page elements such as a Label
control. When the value is read from the DropDownList it will be automatically
HTML-decoded by ASP.Net and lose the previously provided protections. The different
behavior between controls opens the door for vulnerabilities and the possibility that
developers will misunderstood the encoding rules for specific controls.
Recently Microsoft has updated much of the MSDN Web Controls??™ documentation
(http://msdn2.microsoft.com/en-US/library/aa984118(VS.71).aspx) to indicate which
controls do or do not encode assigned data. To attack ASP.Net applications, a thorough
read of the MSDN article will be useful to learn which controls have problems. Since many
popular Web Controls come standard with ASP.Net, they are often recognizable. If an attacker
is familiar with the common controls and their faults, it will be easy to develop a
standard arsenal of attacks to use against each one. A good attacker often reads through
the documentation one page beyond where the application??™s developer stopped reading.
Pages:
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250