[SCIP] Indentify, Enumerate & Execute Invisible ASP.net Controls

Friday, March 15, 2013

SCIP is an OWASP ZAP extension designed to assess the security of ASP.net and Mono applications, while abusing platform specific behaviors and misconfigurations. 

The extension currently supports the following features: 

Identify the existence of invisible, commented and disabled server side web controls in ASP.net – passively (!). Identify which ASP.net security configuration is active in each page (EventValidation, MAC), and in which cases the invisible controls are exploitable – passively (!) 

Enumerate the names of invisible controls using built-in customizable dictionaries with ASP.net naming conventions.  Rebuild the event validation whenever possible (MAC=off)

Execute invisible controls when either one of the security features is turned OFF, or when there is a server-side callback implementation flaw.  Execute disabled controls and commented out controls regardless of security Support additional manual techniques for executing controls despite the security features.

The extension can be obtained from the project's website or from ZAP's built-in marketplace feature: 

Subscribe via e-mail for updates!