Process.Start() Command Injection
How to exploit a program that has this line:
Process.Start(user_input + "calc.exe")
It’s a .NET function and nothing has worked so far ("mal.exe &&", "mal.exe;", …)
Any ideas?
Category Archives: net
Skip date check in Server certificate in Chrome
We have a web application on https port with server certificate valid from 01/01/2021 and valid to 31/12/2021. Due to some constraints the clients which are going to use web application are behind current date, while the server is on curre… Continue reading Skip date check in Server certificate in Chrome
How to erase encryption keys from memory in C#? [migrated]
I was browsing through the Cure53 audits and found a mention of ‘Secure key deletion ineffective (Medium)’ on pg. 3 here. The Cure53 team was saying that there’s no real way to erase sensitive data in memory using Go.
Is there a way of doi… Continue reading How to erase encryption keys from memory in C#? [migrated]
Is Array.Clear() in C# suitable for zeroing sensitive byte arrays?
Is it worth calling Array.Clear() to clear sensitive byte arrays such as those containing encryption keys? It’s not clear whether this is worth doing since the language has a garbage collector.
Continue reading Is Array.Clear() in C# suitable for zeroing sensitive byte arrays?
Developer requests dev systems don’t have .Net patches applied
Looking for some guidance on an internal discussion we’re having.
We have a .Net developer that is requesting all development systems with Visual Studio installed don’t have .Net updates installed. The reasoning is that it breaks Visual St… Continue reading Developer requests dev systems don’t have .Net patches applied
.NET Core Updates to be rolled via Microsoft Update
Microsoft has been distributing .NET Core Update as a standalone package or Runtime Updates until…
For more visit TheWindowsClub.com. Continue reading .NET Core Updates to be rolled via Microsoft Update
Google bring .NET Core 3.1 for Windows, Mac, Linux to Cloud Functions
In good news for developers who use Google Cloud Functions and .NET Core alike, Google has now…
For more visit TheWindowsClub.com. Continue reading Google bring .NET Core 3.1 for Windows, Mac, Linux to Cloud Functions
Microsoft releases .NET 5 to build unified framework for all application types
Microsoft has announced the general availability of the .NET 5 environment. With .NET 5, Microsoft…
For more visit TheWindowsClub.com. Continue reading Microsoft releases .NET 5 to build unified framework for all application types
Do __VIEWSTATEGENERATOR, __EVENTVALIDATION prevent CSRF? [duplicate]
I’ve seen __VIEWSTATEGENERATOR, __EVENTVALIDATION in every .NET website. Theirs value change, for example, at every login request. Do these fields prevent CSRF? If yes/no, why?
Continue reading Do __VIEWSTATEGENERATOR, __EVENTVALIDATION prevent CSRF? [duplicate]
Why Recursive Grep + Pitchfork payload doesn’t work as expected in Burp Suite?
SCENARIO:
I’m playing around with a .NET application. In particular I’m testing the login page.
The source code contains __VIEWSTATE, __EVENTAVALIDATION, __VIEWSTATEGENERATOR.
I want to try a dictionary attack. Anyway I did a test before t… Continue reading Why Recursive Grep + Pitchfork payload doesn’t work as expected in Burp Suite?