[Mono-list] Asp.Net Security Analyser

Dinis Cruz Dinis@ddplus.net
Sun, 12 Oct 2003 01:59:50 +0100


This is a multi-part message in MIME format.

------=_NextPart_000_005F_01C39064.85719A50
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello Mono Team
 
I have developed a Open Source Asp.Net Security Analyser for IIS and was
interested to know if it works on your platform  (see more details
bellow)
 
The security tool attempts to exploit known vulnerabilities or
mis-configurations on the windows implementation of the .Net Framework
1.1, and presents the results in a simple, effective and powerful way.
 
Since some of the serious vulnerabilities tested don't have a solution
in the current version of Microsoft's .Net Framework, it could be very
interesting if you could provide a 'secure' alternative to Microsoft's
current hosting solution (based on IIS 6.0 or IIS 5.0)
 
Do you have any ISP that currently has your hosting environment
configured? Does any ISP have plans to offer services based on your
application?
 
Thanks for you time,  and congratulations for the work you are doing.
 
Best regards

Dinis Cruz
.Net Security Consultant
DDPlus (www.ddplus.net)
 
 
------------------------------------------------------------------------
---------
Asp.Net Security Analyser (ANSA) is a Open Source, Windows based, online
tool, that tests the server's security for known vulnerabilities and
mis-configurations. The tool was initially designed to allow the
protection of ISPs that provide shared hosting services. You can
download the source code, use it in your servers and distribute it to
who ever you feel appropriate.
 
The project's objective is to create an Open Source tool that allows
system administrators (responsible for windows based shared hosting
environments) to easily identify and solve existent security problems.
 
The current version is focused on identifying security vulnerabilities
such as: remote command execution, pour website isolation (i.e. the user
from website 'A' can see the data from website 'B'), disclosure of
sensitive information (such as usernames/passwords, running processes,
installed services), ability to do a server based port scan, etc..
 
Eventually the tool should evolve to a "Asp.Net Security Configuration
Tool" where it will also allow the SysAdmins to securely configure their
servers
 
This project is currently hosted in a Workspace in GotDotNet (
<http://www.gotdotnet.com/> www.gotdotnet.com) and this is the direct
link to the project:
http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=36ae9a2c
-8740-4b52-924e-320edf64fba5 (if this link doesn't work please visit
this page http://www.gotdotnet.com/community/workspaces/directory.aspx
and search for 'ANSA')


------=_NextPart_000_005F_01C39064.85719A50
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Mensagem</TITLE>

<META content=3D"MSHTML 6.00.2800.1170" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2>Hello Mono Team</FONT></SPAN></DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080 size=3D2>I=20
have developed a Open Source Asp.Net Security Analyser&nbsp;for&nbsp;IIS =
and was=20
interested to know if it works on your platform&nbsp; (see more details=20
bellow)</FONT></SPAN></DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080 size=3D2>The=20
security tool attempts to exploit known vulnerabilities or =
mis-configurations on=20
the windows implementation of the .Net Framework 1.1, and presents the =
results=20
in a simple, effective and powerful way.</FONT></SPAN></DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2>Since some of the serious vulnerabilities tested don't have a =
solution in=20
the current version of Microsoft's .Net Framework, it could be very =
interesting=20
if you could provide a 'secure' alternative to Microsoft's current =
hosting=20
solution (based on IIS 6.0 or IIS 5.0)</FONT></SPAN></DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080 size=3D2>Do=20
you have any ISP that currently has your hosting environment configured? =
Does=20
any ISP have plans to offer services based on your=20
application?</FONT></SPAN></DIV>
<DIV><SPAN class=3D647271200-12102003><FONT face=3DVerdana =
color=3D#000080=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D647271200-12102003></SPAN><FONT face=3DVerdana =
color=3D#000080=20
size=3D2><SPAN class=3D647271200-12102003>Thanks for you time,&nbsp; and =

congratulations for the work you are doing.</SPAN></FONT></DIV>
<DIV><FONT face=3DVerdana color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DVerdana color=3D#000080 size=3D2><SPAN =
class=3D647271200-12102003>Best=20
regards</SPAN></FONT></DIV>
<DIV><FONT face=3DVerdana color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003></SPAN><BR></FONT><FONT face=3DVerdana><FONT=20
color=3D#000080 size=3D2>Dinis Cruz<BR></FONT><FONT color=3D#000080 =
size=3D2>.Net=20
Security Consultant</FONT></FONT></DIV>
<DIV align=3Dleft><FONT face=3DVerdana color=3D#000080 size=3D2>DDPlus =
(<A=20
href=3D"http://www.ddplus.net">www.ddplus.net</A>)</FONT></DIV>
<DIV><FONT face=3DVerdana color=3D#000080 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DVerdana color=3D#000080 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003>----------------------------------------------=
-----------------------------------</SPAN></FONT></FONT></DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003>Asp.Net Security Analyser (ANSA) is a Open =
Source,=20
Windows based, online<BR>tool, that tests the server's security for =
known=20
vulnerabilities and<BR>mis-configurations. The tool was initially =
designed to=20
allow the<BR>protection of ISPs that provide shared hosting services. =
You=20
can<BR>download the source code, use it in your servers and distribute =
it=20
to<BR>who ever you feel appropriate.</SPAN></FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003>The project's objective is to create an Open =
Source=20
tool that allows<BR>system administrators (responsible for windows based =
shared=20
hosting<BR>environments) to easily identify and solve existent security=20
problems.</SPAN></FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003>The current version is focused on identifying =
security=20
vulnerabilities<BR>such as: remote command execution, pour website =
isolation=20
(i.e. the user<BR>from website 'A' can see the data from website 'B'),=20
disclosure of<BR>sensitive information (such as usernames/passwords, =
running=20
processes,<BR>installed services), ability to do a server based port =
scan,=20
etc..</SPAN></FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003>Eventually the tool should evolve to a =
"Asp.Net=20
Security Configuration<BR>Tool" where it will also allow the SysAdmins =
to=20
securely configure their<BR>servers</SPAN></FONT></FONT></DIV>
<DIV><FONT face=3DVerdana color=3D#000080 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003>This project is currently hosted in a =
Workspace in=20
GotDotNet (<BR>&lt;<A=20
href=3D"http://www.gotdotnet.com/">http://www.gotdotnet.com/</A>&gt; <A=20
href=3D"http://www.gotdotnet.com">www.gotdotnet.com</A>) and this is the =

direct<BR>link to the project:</SPAN></FONT></FONT></DIV>
<DIV><FONT face=3DVerdana><FONT color=3D#000080 size=3D2><SPAN=20
class=3D647271200-12102003><A=20
href=3D"http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=3D=
36ae9a2c-8740-4b52-924e-320edf64fba5">http://www.gotdotnet.com/Community/=
Workspaces/Workspace.aspx?id=3D36ae9a2c-8740-4b52-924e-320edf64fba5</A>=20
(if this link doesn't work please visit this page <A=20
href=3D"http://www.gotdotnet.com/community/workspaces/directory.aspx">htt=
p://www.gotdotnet.com/community/workspaces/directory.aspx</A>=20
and search for 'ANSA')<BR></SPAN></FONT></FONT></DIV></BODY></HTML>

------=_NextPart_000_005F_01C39064.85719A50--