Differences in pen testing aspx to php apps

<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Wed Jun 17, 2009 8:35 am

Differences in pen testing aspx to php apps

Hello,
I have done all of my pen testing in the past on PHP web apps. I was wondering what differences there are between pen testing a PHP app to an ASPX one.

Thanks in advance,
Ryan
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jun 23, 2009 8:22 am

Re: Differences in pen testing aspx to php apps

I would say not a ton of difference, but you do get some good info if you know it is php vs apsx. The dotNET framework has built in XSS protection and the flaws in each version can be found online. This will greatly help you in your attack.

Knowing which it is running can help speed up the test since you can make some assumptions about the underlying OS and RDMS. Don't forget these are assumptions and should be treated as such. A big problem I have seen is people following assumptions as if they are truth.

If it is running dotNET code you know it is windows and there is a much higher probability of the underlying database being MSSQL. If the server is running php the server is most likely a flavor of linux and more likely to have an open source RDMS backend such as MySql or Postgres. These are useful for exploiting a SQL injection vulnerability or accessing local resources if you find a local file include vulnerability.
twitter.com/timmedin | http://blog.securitywhole.com
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Tue Jun 23, 2009 8:35 am

Re: Differences in pen testing aspx to php apps

Thanks for the reply!

I suppose that the same vulnerabilities exist however the exploitation and remediation are different from PHP. I had a suspicion that .NET had built in anti code injection, et al functions.

Return to Web Applications

Who is online

Users browsing this forum: rattis and 0 guests

cron
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software