Monday, 8 October 2012

Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

Michael Hidalgo wrote this great article on using O2 to exploit an overposting (i.e. auto-binding) vuln in an ASP.NET MVC demo app: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

As you can notice that was posted on which has always been a good source of technical content for me (although not a site I would use everyday). That said, I'm starting to like the new version of and this could be a great place to post O2-related technical articles.

On the Asp.NET MVC topic, if you are interested, here are a couple related posts:

The next step is to see how we can write SAST rules (maybe executed by Cat.NET) to find these issues on the source code.

I really don't have hard numbers, but I will bet that the number of Asp.NET apps vulnerable is really high (just like what happens with the Spring Framework MVC)