Web Services (ASMX) in Framework 2.0

Greetings,

I read this great articles at TheServerSide.net by author Christian Weyer. He is a MVP and Microsoft Regional Director. He has a blog at http://weblogs.asp.net/cweyer/

He starts off by writing an intro on web services in Framework 1.0 and 1.1. What was not good enough and what were developers looking to have, which even the service packs did not provide.

He goes on to the next parts showing you the amount of re-work Microsoft has done on Web Services 2.0 (hence the title of the articles, Web Services Strikes Back !).

Here are the urls:

http://www.theserverside.net/blogs/showblog.tss?id=WSStrikesBack (Intro)
http://www.theserverside.net/blogs/showblog.tss?id=WSStrikesBackP2
http://www.theserverside.net/blogs/showblog.tss?id=WSStrikesBackP3
http://www.theserverside.net/blogs/showblog.tss?id=WSStrikesBackP4


Happy reading.

/Gill

Second-order Code Injection Attacks

Abstract:
"Many forms of code injection targeted at web-based applications (for instance cross-site scripting and SQL injection) rely upon the instantaneous execution of the embedded code to carry out the attack (e.g. stealing a user's current session information or executing a modified SQL query). In some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time.

Depending upon the nature of the application and the way the malicious data is stored or rendered, the attacker may be able to conduct a second-order code injection attack.
A second-order code injection attack can be classified as the process in which malicious code is injected into a web-based application and not immediately executed, but instead is stored by the application (e.g. temporarily cached, logged, stored in a database) and then later retrieved, rendered and executed by the victim."

The paper is available from:
http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf