[SCIP] Indentify, Enumerate & Execute Invisible ASP.net Controls
SCIP is an OWASP ZAP extension designed to assess the security of ASP.net and Mono applications, while abusing platform specific behaviors and misconfigurations.
The
extension currently supports the following features:
Identify the
existence of invisible, commented and disabled server side web controls in
ASP.net – passively (!). Identify which ASP.net
security configuration is active in each page (EventValidation, MAC), and in
which cases the invisible controls are exploitable – passively (!)
Enumerate the names
of invisible controls using built-in customizable dictionaries with
ASP.net naming conventions.
Rebuild the event validation
whenever possible (MAC=off)
Execute invisible
controls when either one of the security features is turned OFF, or when
there is a server-side callback implementation flaw. Execute disabled
controls and commented out controls regardless of security
Support additional manual
techniques for executing controls despite the security features.
The
extension can be obtained from the project's website or from ZAP's built-in
marketplace feature:
[SCIP] Indentify, Enumerate & Execute Invisible ASP.net Controls
Reviewed by Zion3R
on
9:40 AM
Rating: