Geeks With Blogs
Josh Tenenbaum Errant ramblings

My team recently upgraded our web application to Asp.Net 2.0 from Asp.Net 1.1. Yesterday was the first deployment since the upgrade. Overall, the conversion went well. But an odd thing happened during the mandated Vulnerability Assessment that is required before the application go live. I received an email that said "A high risk 'Blind SQL Injection' is showing up on the http://<domain> /<virtdir>/common/error.aspx  URL on the aspxerrorpath object." I looked at the page, but it literally did nothing in the database (read or write). Not a thing. I thought maybe a Cross Site Scripting vulnerability, but certainly not a SQL injection problem. But, anybody who has worked in a large organization knows, the path of least resistance is the best.

I decided to address the perceived issue by overriding the OnError event in a common base class for all the pages in the site. I made sure I didn't pass the aspxerrorpath param and voila: We passed today.

Posted on Wednesday, February 20, 2008 9:22 PM | Back to top

Comments on this post: Blind SQL Injection ?

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Josh Tenenbaum | Powered by: