Prev: Impersonation with SQL Server SSPI
Next: Problem: Too many response code 404, how to detect them?
From: Legato on 23 Feb 2010 00:26
When hackers infiltrate a web server they will ussually try to add XSS
script code to the admin ASPX pages to try to take over the administrator's
machine. I was thinking: why doesn't Microsoft add a hash of the ASPX code
to the assembly of the web application to prevent tampering with the ASPX
page?

Legato


From: Patrice on 23 Feb 2010 05:01
Hello,

By default there is an exception if a user entered tags in a form field. See
:
http://msdn.microsoft.com/en-us/library/ms998274.aspx

Not sure what is the exact scenario you are talking about but the problem is
not with changing the assembly but in having a page displaying non validated
data (that happens to be a script). The page itself is not changed.

--
Patrice

"Legato" <try_it(a)domain.invalid> a �crit dans le message de groupe de
discussion : hlvotg$c2k$1(a)news.albasani.net...
> When hackers infiltrate a web server they will ussually try to add XSS
> script code to the admin ASPX pages to try to take over the
> administrator's machine. I was thinking: why doesn't Microsoft add a hash
> of the ASPX code to the assembly of the web application to prevent
> tampering with the ASPX page?
>
> Legato
>
>

From: Patrice on 24 Feb 2010 04:25
Ok the XSS attack fooled me as I don't see why an attacker would bother with
an XSS attack if he is already able to alter files stored on your server...

Form a more general point of view, some company are AFAIK doing a copy and
periodically overwrite their production site in case someone would deface
the site.

Another option would be to sign your assemblies :
http://msdn.microsoft.com/en-us/library/ms228209.aspx
--
Patrice




From: Patrice on 24 Feb 2010 14:21
> Signing would indeed protect the assemblies but not the ASPX pages. That's
> why I suggested adding a hash of the corresponding web pages to the
> assembly.

Never tried but ultimately an ASPX page generates source code and gets
compiled into an assembly. So IMO it should work if you accept to have a
precompiled site.

Try http://connect.microsoft.com/. It's likely the best place to make
suggestion about the product...

--
Patrice







 | 
Pages: 1
Prev: Impersonation with SQL Server SSPI
Next: Problem: Too many response code 404, how to detect them?