ASP.NET Security Testing

Reference

ASP Fuzzing

  • Extensions.

Xml
Txt
Zip
7z 
Dll
Ashx
Asmx
Svc
HTML
HTM
JS
JSON
  • Headers.

Cookie: 
User-Agent: 
Accept: */*
  • Example Findings

Api.zip
Wwwroot.zip
Bin.7z
Web.dll
Login.htm
Accesses.txt
appsettings.json
UploadHandler.ashx
File_Manager.asmx
Service1.svc
  • Tools

  • FFUF

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://target.example/FUZZ -D -e .php,.html,.bak -t 40

go install -v github.com/musana/fuzzuli@latest

echo https://fuzzuli.musana.net fuzzuli -p
echo https://fuzzuli.musana.net|fuzzuli -mt shuffle
echo https://fuzzuli.musana.net|fuzzuli -mt regular
echo https://fuzzuli.musana.net|fuzzuli -mt withoutdots
echo https://fuzzuli.musana.net|fuzzuli -mt withoutvowels
echo https://fuzzuli.musana.net|fuzzuli -mt withoutdv
echo https://fuzzuli.musana.net|fuzzuli -mt reverse
echo https://fuzzuli.musana.net|fuzzuli -mt all

Critical ASP Paths Often Overlooked by Pentesters.

/OBJ/Debug
intitle:"index of /obj“
APPname.dll, APPNAME.FUZZ.dll
Web.dll, WebConfig.txt, Web.xml
*.DLL
*.TXT
*.XML

/XML/
FUZZService.EXT|AppNameService.EXT|AppName.EXT
Login.asmx, admin.asmx, FileTransferService.svc
FUZZ /XML/ with XSL EXT
/xml/SupportAuth.xsl
*.XML
*.XSL
*.ZIP

/WebServices/
Config.xml, Export.zip, Login.XSL
SUPPORTTOKENINTERNAL on SupportAuth.aspx
*.ASMX
*.SVC

Abusing ASP.NET_SessionId for Unauthorized Access.

/Backup/ 403
Web.config
 <deny users="?" /> =anonymous  
UnAuth ASP.NET_SessionId=X
 <deny users="?" /> ≠ anonymous
 /backup/ 200
--------------------
/UsersInfo.ashx 302
if (Request.Cookies[".ASPXAUTH"] = null
UnAuth
.ASPXPath=X
if (Request.Cookies[".ASPXAUTH"] != null
/UsersInfo.ashx 200
---------------------
# Scenario
1. /Hdownload.ashx -> 302
2. /Login.aspx -> .ASPXPATH= (cookie parameter) 
3. /Hdownload.ashx  + .ASPXPATH= (cookie parameter) -> Bypassed

Bypassing WAFs with ASP.NET Cookieless Sessions.

  • Bypass WAF-Blocked Endpoints Using (S(x))

1. GET /admin/login.ASPX
2. The WAF only allows internal IPs to access the endpoint.
3. GET /admin/S(X))/login.ASPX --> 200 OK

Uncovering Secrets in ASP.NET JS Files.

  • Fuzzing For JS On ASP.NET

/
/js
/Javascript
/include
  • Critical JavaScript Filenames On ASP.NET

appsettings.js
Config.js
debug.js
service-worker-assets.js

Breaking Auth with Unique Path Manipulation.

Last updated

Was this helpful?