Project Description
Security tools and guidelines for white-hat hacking and protecting ASP.NET web applications.

News

The v.1.3.0.1 version of Lens is available with support of remotely testing for the Padding Oracle Attack. For the complete list of changes, new features and fixes in the new version, please view the Version History page.

The v.1.2.0.0 version of Lens is available with support of directly saving the test cookie to the browser's cookie store. For the complete list of changes, new features and fixes in the new version, please view the Version History page.

Click on the Downloads tab to access or the Documentation tab to learn more about Lens.

Our mission

Just like any other web platform, ASP.NET is not free from features that can be misused in way that can have serious security related consequences. Developers should be aware of what exactly this platform provides in the world of security: when should one trust the runtime that it will gracefully handle an attack, and when should one write additional lines of code to protect the application against a certain threat.

The goal of this site is to provide information and tools to test your ASP.NET web application against well-known attacks and provide guidance about how to implement workarounds if your site happens to be vulnerable. These tools are for developers and ethical hackers; it is definitely against our will to help malicious activities.

Note, that we do NOT say we found any new security vulnerability in the ASP.NET platform that Microsoft is not aware of or tries to hide. All we say is that - just like many other platform - this platform is not bulletproof, and there are attacks out in the wild that can exploit not your code, but the platform your code runs on. Even if it is not your code, because your application builds on top of it, it is your task to patch these vulnerabilities. Hopefully we can help you to fulfil this task.

This site is dedicated to ASP.NET Ethical Hacking, but you can read more about security and various aspects of ethical hacking on our Haxperience site.

György Balássy
Microsoft Regional Director, Hungary, ASP.NET MVP, MCTS
MSDN Competence Center
Hungarian blog: http://balassygyorgy.wordpress.com
English blog: http://gyorgybalassy.wordpress.com

Protect your ASP.NET site against the following attacks

You can use our Lens tool to test your site against the following attacks. You can read more about Lens on the Documentation tab.
  • Padding Oracle Attack (available in v.1.3.0.0)
  • Session state
    • Eavesdropping
    • Session fixation (available in v.1.0.0.1)
  • Forms authentication
    • Eavesdropping
  • ViewState
    • Eavesdropping (available in v.1.0.0.1)
    • Information disclosure (available in v.1.0.0.1)
    • Event handler bypass
  • Event handling
    • Postback to disabled controls
    • Postback to invisible controls
  • One-click attack

Last edited May 21, 2011 at 5:17 AM by balassy, version 23