Archives
- ► 2012 (8)
- ► February (2)
- ► March (4)
- ► April (1)
- ► May (1)
- ► 2011 (157)
- ► January (20)
- • Green architecture: Sustainability and IT architecture
- • The HL7 Toolkit
- • Friday - link-day #30 - Ebooks, the world, photography, quake and CG
- • Soft Season
- • Friday - link-day #29 - Security, Study, Dark Surreal Art, Celebrities and bicycle pumps
- • Emotions of a project leader during a project
- • Emotions of an architect during a project
- • What if everything is a dream?
- • Site problems due a (probable) bug in ISAPI_Rewrite 3 revision 0079
- • 3 good pratices for your Joomla site
- • Friday - link-day #28 - Anonimity, rocking, macro photography, open source, science
- • Emotions of a developer during a project
- • HL7 and security
- • Where to begin if you want to start with HL7 in C# or Java
- • Understanding the HL7 piped message
- • How to proof that QA saves money
- • Friday - link-day #27 - Computer generated images, handwriting, PDF, photography and philosophy
- • Interesting facts on common things
- • Romans 4: Where do we go wrong?
- • Happy 2011
- ► February (16)
- • Introducing 0na as a contributor
- • The Beatles perform Smack My Bitch Up
- • Friday - link-day #34 - Happiness, usability, pink princesses, security, photography
- • A classic: Write in C
- • Privacy: I've got nothing to hide
- • Friday - link-day #33 - Unittests, roads, introverts, hack free and photography
- • Green architecture: Social
- • Thoughts on Paradise and the Fall of Man
- • Friday - link-day #32 - Photography, Sounds, Documentary, Programming and Vampires!
- • Removing images using PdfSharp
- • The Art of Intrusion - A review
- • Friday - link-day #31 - Old PC, Lost, Boardgames, Ghosts and DocX
- • Making a threatmodel, part 4: Applying STRIDE and priority
- • Making a threatmodel, part 3: Used technologies
- • Making a threatmodel, part 2: Data Flow Diagram
- • Making a threatmodel, part 1: Business usecases
- ► March (14)
- • Privacy, security and smart phones
- • Privacy, security and the cloud
- • Threatmodels - A video on smartphones
- • Friday - link-day #38 - Life-enhancement, barcode, Atlantis, underwater, nowhere
- • Development and the time to market of software
- • Suckerpunch is almost released
- • Friday - link-day #37 - Linux, meaning, meta testing, home library and vampires
- • Green architecture: Environment
- • Why do soft-skills training matter
- • Why nHapi sometimes parses a message as a generic message
- • Friday - link-day #36 - Philosophy, Art, Concept, Hypocrite or Delusional, Sustainable Computing
- • The results of a pentest
- • Friday - link-day #35 - Badasses, digital art, photography, cows and ideology and assembly
- • The psychology of rites of passage
- ► April (13)
- • We need your input!
- • Friday - link-day #43 - Photography, Browsers, Hacking and Reading
- • Lyrics for this Easter morning
- • How to reset you Kindle 3, even if the slide doesn't work
- • Inside the Kindle 3 (Latest Generation)
- • Friday - link-day #42 - The Geek Edition
- • Friday - link-day #41 - Fork, Berlin, Life, Girls and Microexpressions
- • No need for bashing Microsoft anymore
- • XSS so what
- • Friday - link-day #40 - Pascal, photography, fan films and fear
- • Friday - link-day #39 - War, Creationism, Geek behaviour, photography and Garbage
- • John 8: 1-11 - Punishment and second chances
- • Evangelisation: show your believe through choice
- ► May (15)
- • Joomla RSS Feed stats in Piwik
- • Really cool: Running Linux in your browser
- • Romans 12 - Part 3
- • Romans 12 - Part 2
- • Romans 12 - Our daily lives (part 1)
- • Friday - link-day #47 - Worlds, History, Compilers, Drugs and Intelligence and Personality
- • Development processes and quality code
- • Friday - link-day #46 - Abandoned, Curiosity, Hackers, PirateBox and Apocalyptic
- • Friday - link-day #45 - Luck, Illustrations, Body Language, TrueCrypt, Open Wireless
- • Read SIU messages using nHapi
- • Religion and Crisis: Recognizing and dealing with guilt
- • Friday - link-day #44 - Photography, Werewolves, Bookshelves, Trolls and The Future
- • On tolerance and ignorance
- • Green architecture: Economic
- • Scale a PDF using PdfSharp
- ► June (16)
- • Coffee
- • Green architecture: How green is your internet?
- • Friday - link-day #51 - HDR Images, Monastery, Too clean, Hacking and Photography
- • Use a GPU to crack pasword hashes fast
- • Using SSL over TCP as client and server with C#
- • Friday - link-day #50 - Multitouch, Comic Sans, Sons, Woman, Mugshots and Games
- • How to help open source without coding
- • Really cool: Play Doom in your browser
- • Romans 12 - Part 7
- • Friday - link-day #49 - Books, .Net, Drawings, Technology and Faith
- • Romans 12 - Part 6
- • Romans 12 - Part 5
- • Romans 12 - Part 4
- • Friday - link-day #48 - Photography, Bookcases, Scrum, Illustrations and PDF's
- • Musings on afterlife
- • MonoDevelop
- ► July (17)
- • Wisdom
- • NHapi documentation files
- • Types of rituals
- • The process of a ritual
- • Friday - link-day #56 - Hapiness, Linux, Truth, Worldviews and OS
- • Romans 12 - Part 12
- • Romans 12 - Part 11
- • Friday - link-day #55 - Retro WTF, Blank, disney, Hackers and Beach Art
- • Romans 12 - Part 10
- • Services and protocols aren't the same
- • The paradox of choice
- • Romans 12 - Part 9
- • Friday - link-day #54 - Love, E, MetaData, SLR and Apple
- • Friday - link-day #53 - Shadows, Google, Safety, IPhones and Church
- • Friday - link-day #52 - Computer science, Super Heros, Animation, Rock Paper and Scissors and Blue
- • Romans 12 - Part 8
- • Why modern IDE's aren't the best tools to learn coding
- ► August (10)
- • How to parse the HL7 DateTime with nHapi
- • Friday - link-day #60 - Surreal, Kinect and Blender, IBM, Organ and Mail
- • The Tetris effect
- • Friday - link-day #59 - Thanks, Photo's, Color, DOS and Openness
- • Friday - link-day #58 - Ebooks, Six, Fan Films, Cats and the Moon
- • Getting data from a HL7 ORU_R01 message
- • Using a client certificate with an SSL stream in C#
- • Physical object and rituals
- • Friday - link-day #57 - Disgruntled bomb, Architecture, Belief, Geek behaviour and Simpsons
- • Romans 12 - Part 13
- ► September (9)
- • Friday - link-day #65 - Airplanes, Passwords, Self-Esteem, Code and Girls
- • HL7 event grouping in version 2.4 (nHapi)
- • Friday - link-day #64 - Movies, Faces, Startup times, Resume and Happiness
- • 10 Programming lessons I learned in my 12 years in IT
- • Friday - link-day #63 - God, Art, Keyboard, Faces and Kermit
- • Friday - link-day #62 - Http status, Open PC, Photography, Movies, Illustrations
- • Friday - link-day #61 - Archimedes, Honeypot, Creativity, Elephants and Hackers
- • Social engineering: The wolf and the seven little goats.
- • On why we shouldn't use the term web service.
- ► October (8)
- • Friday - link-day #69 - Ghosts, Words, Linux, Fantasy and Lazarus
- • Ezekiel: The Pulp Fiction Verse
- • Friday - link-day #68 - Reflections, Linux, Spelling, Friends and X.509
- • Ezekiel 37
- • Friday - link-day #67 - Portraits, Gossip, Cool pictures, Design patterns and Privacy
- • Is it HTTP response splitting
- • Choices and age
- • Friday - link-day #66 - Animal, Guitarists, Locks, Pixels and Fridge
- ► November (10)
- • Ayn Rand and lotteries
- • Friday - link-day #73 - Passwords, Intelligence, Rain, Photography and Scared people
- • Friday - link-day #72 - Gifs, Movie descriptions, Symmetry, Architecture and Mario
- • The Great Dictator
- • A social network with respect for privacy
- • Snowwhite the trailer
- • Friday - link-day #71 - Life, Images, Tetris, Witches and Beacon
- • Security in IT-projects: The Story of the Three Little Pigs
- • Friday - link-day #70 - Bios, Future, God, 1% and Security
- • The Hl7 Implementation Support Guide
- ► December (9)
- • Almost Christmas: consumerism
- • Friday - link-day #78 - Colors, Mythical, Girls, Smurf and Pictures
- • Friday - link-day #77 - Searching, Microsoft, Music, Hacking and Volcanoes
- • Friday - link-day #76 - st. Nicolas, IE, Disney, Grandmother and Games
- • Best of 2011
- • Santa
- • Friday - link-day #75 - Photography, Forgiveness, Games, Colors and Computer science
- • YaCy: P2P search engine
- • Friday - link-day #74 - Creationism, Memmories, Bossie award, Easter and Contrast
- ► January (20)
- ► 2010 (174)
- ► January (11)
- • Forgiveness: the cost of forgiving
- • Security rule #7: Dont't let the ends outweigh the means
- • Security rule #6: Help users protect themselves
- • Security rule #5: Security starts at business level
- • Security rule #4: Try to use standard solutions
- • Security rule #3: It's all about data and risk
- • Security rule #2: You can't outsmart an attacker
- • Security rule #1: Don't trust data
- • Unbelievable: biblical text on weapons
- • Security: session management the right way
- • 20 wise programming lessons
- ► February (6)
- ► March (18)
- • How to define a good service interface
- • Changing imperonation user at runtime
- • Coding fun: statistical problem
- • Easter and new years resolutions
- • Easter eggs and security
- • .Net and Oracle webservices
- • Why use MQ instead of webservices in webinterface backoffice communication
- • In basis all religions are the same. Is that true?
- • The security dilemma revisited.
- • How to create an application supporting multiple HL7 version using nHapi
- • Really cool: run java on .Net with IKVM
- • Pay it forward
- • How do you see other religions
- • The Baseballs make really bad songs sound really good
- • Comics and theology
- • On why christians should vote left-wing
- • Thinking like a hacker
- • Flyleaf
- ► April (22)
- • nHapi example
- • The new OWASP Top 10
- • The theology of Caprica
- • Perron11.nl a site using the MVC framework
- • HL7 version 2.3 problem with too many Patient ID's
- • Single sign on with openid
- • Security isn't all about defending
- • Movie: Son Of Man
- • A song for Easter: Thief
- • Slovo - Nommo
- • How to build quality appllications: learn from UNIX
- • REST and SOAP: what and when
- • Do all religions essentially come down to the same thing (part II)
- • Design changes
- • The beginning of prayer is silence
- • Security is a quality attribute
- • Good Friday - Lacrimosa
- • Integrating webapplications and sites
- • Leadership style: behavior versus result
- • Bypassing the .Net ValidateRequest filter
- • The value of good documentation
- • Software architecture and new technology
- ► May (14)
- • New phishing attack
- • German court convicts someone for having a wireless network without a password
- • HL7 escape characters and nHapi
- • The theology of Sophie Scholl: Die letzten tage
- • IBM MQ Reason codes
- • Two extension methods
- • Nostalgia: my first password cracker
- • Wifi with Mandriva 2010.0
- • Are Christians allowed to be rich?
- • Measuring code quality
- • Estimation and politics
- • This code should be removed
- • Legal and free music with Jamendo
- • God exists Quietly
- ► June (12)
- • VS2008 project using private unittests don't build with TFS2010
- • Blenders open movie projects
- • Java forever - the movie trailer
- • Persistent messages with IBM MQ
- • Gnoosic helps you find new bands
- • Back from the Holy Land
- • Judging doesn't have to be negative
- • Less posts due vacation
- • The need for postmodern thinking in software development
- • Robtex - internet swiss army knife
- • Listen to your user... Or not?
- • Jars of Clay - Flood
- ► July (14)
- • SDL: Threat Modeling tool vs. Threat Analysis tool
- • Friday - link-day #4 - GUID in debate, philosophy problems, types of believe, code quality, rainbowtables
- • Confessions on life, death and God
- • Hole 196: WPA2 security vulnerability
- • Friday - link-day #3 - UI based scripting, view states, caffeine, blow dryers and money for bugs
- • New review process for Firefox Addons
- • Friday - link-day #2 - Cloud security, quick coding, atheism and photography
- • Remembering strong passwords
- • Downtime
- • Should unit tests use a database connection to test stored procedures?
- • Friday - link-day #1
- • How secure is your password really?
- • Psalm - hope in dark times
- • Grooveshark - Online free music
- ► August (13)
- • Microsoft puts SDL under a Creative Common license
- • Social Steganography: A different way of privacy control
- • Creating Hl7 ORU_R01 messages with NHapi
- • Friday - link-day #8 - open source, photography, playing Doom, thinking about God, security and usability
- • Why use the fire and forget pattern?
- • Are woman better at social engineering?
- • How to show possibilities in AutoCompleteExtender without user input
- • Friday - link-day #7 - view states, nature photography, classical music, NTLM and religion and kids
- • Why do people work on open source?
- • Friday - link-day #6 - battleground God, negative thoughts, photography, jokes and one time passwords
- • How to render SSL useless
- • Required password change policy - still a good idea?
- • Friday - link-day #5 - comic, executable packer, e-books, security, ice-cream
- ► September (24)
- • Staring at the sun - a must read for pastors
- • TFS2010: Hotfix for error TF270015
- • Problems with comments
- • Evolution vs. Creationism is a non-discussion
- • Elevation of Privilege: The Card Game
- • The tenth of october 2010: 42-day
- • What is coaching? The difference between coaching and mentoring.
- • Friday - link-day #12 - Parable, Bed and society, before death, penguin dieting and a game
- • Microsoft free e-book for moving to VS2010
- • Architecture and coaching
- • This is overreacting to a field trip to a mosque
- • Social-engineering report from DEFON 18
- • New site for Slot and Partners
- • The pratical use of a Sequence Diagram
- • Friday - link-day #11 - viruses, Linux, security and DOS, photography, makeup and face-detection and sacred text
- • Own your space - a security book for teens
- • Are woman better at social engineering? Revisited.
- • Friday - link-day #10 - hitchhiker's guide, online tools, academics and games, reading and forgiveness
- • Crowd-sourced Radiohead live DVD
- • Microsoft released Enhanced Mitigation Experience Toolkit v2.0
- • CLASP and SDL compared
- • Red heifer, the Good Samaritan and morals
- • OWASP CLASP and Secure Coding Practices
- • Friday - link-day #9 - Linux gaming, keyloggers, secure filemount, Microsoft loves open source and science and a Stradivarius
- ► October (11)
- • Friday - link-day #17 - Trust, security, music and learning, documentation and social experiments
- • Open source threat modelling tools
- • How to verify the security of your application: the OWASP standard
- • Friday - link-day #16 - distributed, programming, SSID in hiding, movies and scores
- • Downtime
- • Friday - link-day #15 - exploits, great developers, movie and smartness
- • Usb-drive as a threath for security
- • Correct and usefull error messages - one of the hardest things in software development.
- • Friday - link-day #14 - Games, open source, Linux, programs and idleness
- • Friday - link-day #13 - lockpicking, beep, Sartre, peanuts, photography and biometrics
- • Happy 42-day!
- ► November (11)
- • Is Atheism purely rational?
- • Bacterial based storage: store your data on E-coli
- • Diaspora open to invitees
- • Friday - link-day #21 - Linux and domination, security verification, steampunk girls, autumn and liars
- • Abuse, Violence, Gender and Submission
- • Linux will soon become much faster
- • Friday - link-day #20 - Mono, lockpicking, sanity, portraits and penguin diet
- • Power - the way to deal with it
- • Friday - link-day #19 - processes, Ubuntu and Windows 7, Photography, love your Pastor and passwords
- • Friday - link-day #18 - Skills, Linux and Microsoft, OO, Strangers and being from Mars
- • Content Security Policy - A new countermeassure against XSS and CSRF
- ► December (18)
- • Calvin and Hobbes on parenting
- • Coaching: Choosing the right test
- • What is HL7 and nHapi?
- • Broke 1000 unique visitors
- • A movie for Christmas: Eternal Sunshine of the Spotless Mind
- • Suckerpunch
- • Our Daily Bread
- • Friday - link-day #26 - Problems, sound sculptures, zombies, numbers and therapy
- • Friday - link-day #25 - Conformism, musicscores, programmers, domination, photography
- • Best of 2010
- • Evangelism on Internet, part 3: What's next?
- • Friday - link-day #24 - Hacking, photography, pac-man, myths and doubters
- • Evangelism on Internet, part 2: How?
- • Evangelism on Internet, part 1: Why?
- • Friday - link-day #23 - Design, Word format, Sound recordings, Photography, Theoretical museum
- • IE's protected mode broken
- • Dealing with the insider threat
- • Friday - link-day #22 - Steampunk, Coin tosses, Tetris and flashbacks, Vulnerable Linux and Photography and the Law
- ► January (11)
- ► 2009 (12)
- ► November (8)
- ► December (4)
Which topics would you like us to cover more?
Latest comments
- How to reset you Kindle
3, eve...
Thanks for this article and the related "Inside th...
By H K - How to reset you Kindle
3, eve...
How do you drain power on the board? I dont have r...
By Grace - How to reset you Kindle
3, eve...
You're welcome!
By Bas - How to reset you Kindle
3, eve...
Thanks man....removing the battery worked like a c...
By DaveMan - nHapi
example
Hi Slypete, Thank you for your comment. This way w...
By Bas - nHapi
example
Hello, Employing .Net dynamics, one can implement ...
By slypete - Implementing MLLP in C#
Hi Mayura, I'm not sure I understand your question...
By Bas - Implementing MLLP in C#
I have used SSL stream to secure the MLLP transact...
By Mayura
Latest tweets
about 1 day ago
Using REDIPS.drag to add drag and drop to
your .Net webapplication #li #dib0
http://t.co/n8zY3s7d
about 7 days ago
http://t.co/cknQcDbo #Kindle
about 15 days
ago Freedom isn't the ability to
choose what to do or say, but the ability to choose what not to do
or say #freedom
about 29 days
ago http://t.co/61KTQknI #Kindle
12 Apr 2012
Force the use of a networking adapter using
C# #li #dib0 http://t.co/ZTJOPzOz
9 Apr 2012
http://t.co/k9yliR2t #Kindle
9 Apr 2012
Mandriva 2010.2 and USB devices in Virtualbox
http://t.co/fwq9gbHB
9 Apr 2012
Execute a http request to you own site with
PHP http://t.co/DIvWPrpd
Home 
Architecture, security and coding Bypassing the .Net
ValidateRequest filter
Architecture, security and coding Bypassing the .Net
ValidateRequest filter| Bypassing the .Net ValidateRequest filter |
| Written by Division by Zero |
| Tuesday, 06 April 2010 13:46 |
|
The .Net framework has a default filter to test if someone tries to attack your web application. I don't know if you ever tested if you could break this filter. I have (I know... that's kind of how I do things: break stuff), but it's hard. While conducting a pen-test on one of our own sites I found a white paper on how to bypass the ValidateRequest. For some reason the paper was pulled of the web, but you know that once it has been on the web it's almost impossible to remove it. The paper is 24 pages long and explains which steps were taken to break the filter. I won't republish this paper, but the final conclusion to break the filter and conduct cross site scripting is the following input.
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
So remember: don't trust these kind of standard, default filters alone. Always validate your input and use more advanced standard solutions to help you with that. A colleague pointed me to a post on keepitlocked.net supporting this. This post shows the reflected code of the ValidateRequest and it's boundaries. Related Articles |
I think, therefore I am. - R. Descartes
