Collaborate Disseminate
I’m manually testing a web application. When I read __VIEWSTATE fields they seem to be encoded in base64. I tried to decode them using
http://viewstatedecoder.azurewebsites.net/
anyway this message appears
32 byte(s) left over, perhaps an… Continue reading How to correctly decode __VIEWSTATE if is unencrypted?
I found this version of ASP .NET in the header Server as a response from a web server. How can I verify if this version has still an active support or it is ended? On the microsoft website I can’t find official info on this specific versio… Continue reading ASP .NET 2.0.50727 in the server response header. How to be sure is EOL?
We have to protect a database connection string for a .NET desktop application that has an application-level database user. One option is to encrypt a section of the app.config using asp_regiis. But then every user of the application needs… Continue reading An intranet web app for decrypting values : a bad idea, and if so, why?
A campaign discovered by Malwarebytes Labs in mid-April has lifted credentials from a number of e-commerce portals. Continue reading Credit-Card Skimmer Has Unlikely Target: Microsoft ASP.NET Sites
A scan with Burp Suite has reported a possible vulnerability on all the pages of my application, which is based on ASP.NET 4.7 WebForms.
the issue is: The application may be vulnerable to DOM-based open redirection. Data is read from docu… Continue reading Open redirection (DOM-based) on ASP.NET 4.7 Web Forms
I’m trying to find a list to help find out if particular ASP.NET version has known vulnerabilities by version-build number. Googling doesn’t help. Is there a list by Microsoft that can help me, containing all existing build numbers (like “… Continue reading How to determine if particular .NET/ASP.NET build has known vulnerabilities?
Customer is running Qualys Web Application Scan and the WAS Scan Report reported:
150004 Path-Based Vulnerability
on URL: https://www.example.com/mywebapp/Content/datepicker/images/ui-icons_444444_256x240.png
I have verified that Direct… Continue reading Qualys WAS raises "150004 Path-Based Vulnerability" on an image file
The cybercriminals are using a deserialization vulnerability, CVE-2019-18935, to achieve remote code execution before moving laterally through the enterprise. Continue reading Blue Mockingbird Monero-Mining Campaign Exploits Web Apps
I’m trying to understand something I came accross when looking through documentation for HttpRuntimeSection.RequestValidationMode property.
In ASP.NET 4.0 and later, to disable the built in request validation two things have to happen:
… Continue reading Breaking request validation where requestValidationMode property is set to 2.0
I have obtained a ASP.NET shell on a Windows Server and I need to execute some PHP scripts on the server. PHP env is not installed on the server and neither I have access to RDP.
Is there some workaround?
Continue reading Execute/Install PHP on a Shelled Windows Server? [closed]