Documentos de Académico
Documentos de Profesional
Documentos de Cultura
ASP.Net
Hashem(S)
WWW.DEVX.COM
Hashem(S)
(Applitaction)ASP.NET
ASP.NET
XSSScriptASP
ScriptXSS
Script
XSS
User Name
Script
Script
Click Script
Script
Cookie
ASP.NET V1.1
Script
ASP.NET V1.1
Script
Hashem(S)
Script
script!
<Script> ScriptNULL
<%00script> alert (HELLO THERE); </script>
HTML ENCODE()
HTML ENCODE
SQL LNJECTION:
SQL
SQL
UsernameLogin
Function
Hashem(S)
While reader.Read()
Response.Write("Hello " & reader("UserName"))
End While
End Sub
SQL
Username
SQL
SQL Union
Username
Click
SQLUnion
xyz' union select @@servername, @@servicename,
@@version
SQL
SQLCommandParameters
ADO.NET
Login
Substitution
SQL Server SQL
Login
Hashem(S)
check box
(Hahsing)
Hashing
Hashig
Hash
Hash
Login
HashHash
SHA1hash
Public Function ComputeHashValue(ByVal data() As Byte) As Byte()
Dim hashAlg As SHA1 = SHA1.Create
Dim hashvalue() As Byte = hashAlg.ComputeHash(data)
Return hashvalue
End Function
Hash
ASP.NET
Web.config
Hard-code
Web.config
XML Document Web.config
Web.config
ASymmetric Symmetric
Hashem(S)
-
-
Rijndael
RSA
XML
1 2 3 4 5 6
{1,2,3,4,5,6}
(Private Key) (Public Key)
===========For Asymmetric use=============
========== Asymmetric Encryption===========
(IV)
===========Symmetric=============
Hashem(S)
credit card
Login
User ,Impersonate
<identity impersonate=true
username=someuser
password=tosecret
/>
Web.configUsername
Username
Web.config
UsernameASPNET_SETREG.exe
aspnet_setreg.exe
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q 329290
secretUsernameASPNETUSER
Web.config <appSetting>
<configuration>
<appSettings>
<add key="Distributor" value="workstation id=F16;packet size=4096;integrated
security=SSPI;data
source=F16;persist security info=True;initial catalog=Distributor" />
</appSettings>
Web.config,
Usernameaspnet_setreg.exe
ASP.NI
C:\>aspnet_setreg -k:Software\ASPNetApp\Identity -u:ASPNETUSER -p:secret
Hashem(S)
The DACL on the registry key grants Full Control to System, Administrators, and Creator Owner.
If you have encrypted credentials for the <identity/> configuration section, or a connection string
fo
<sessionState/> configuration section, ensure that the process identity has Read access to the
registry key. Furthermore, if you have configured IIS to access content on a UNC share, the
account u
access the share will need Read access to the registry key.
Regedt32.exe may be used to view/modify registry key permissions.
You may rename the registry subkey and registry value in order to prevent discovery.
Machine.config
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG
Machine.configidentity!
<identity impersonate="true"
userName="registry:HKLM\Software\ASPNetApp\Identity\ASPNET_SETREG,userName"
password="registry:HKLM\Software\ASPNetApp\Identity\ASPNET_SETREG,password"
/>
Web.configMachine.config
Registery Editor
HKEY_LOCAL_MACHINE/SOFTWARE/ASPNetApp/Identity/ASPNET_SETREG
Regedt32
Permission ASPNET_SETREG
ASPNET
Registery Editor
C:\WINDOWS\Microsoft.NET\Framework\
v1.1.4322.
ASPNETUSER
Read permission
PermissionASPNET
Hashem(S)
Deploy
Housekeeping
ASP.Net(tracing)
Web.config<trace>
tracingDeploy
Web.cofig debug
=on
ASP.Net off
RemoteOnly
deployment severProject Solution
IIS DLLISAPI
IISISAPI
WebBrowser
Cooki-less SessionSession
Session Session
,Session IDASP.Net Session
Session
Session ID
tempingCookie-less Session ASP.Net
URLCookie-less Session
Cookie-less Session
XML.NET