[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: [Owasp-dotnet] (IIS Metabase and Security tokens) fw: re: OWASP Conference Demo
From: "Dinis Cruz" <dinis () ddplus ! net>
Date: 2005-10-14 21:41:29
Message-ID: 5db051bc92244bda942b8d25c58d75fd () ddplus ! net
[Download RAW message or body]
now without the attachment (since sourceforge is bloking zip files)
----------------------------------------
From: "Dinis Cruz" <dinis@ddplus.net>
Sent: 14 October 2005 17:37
To: Jeremy.W.Long@wellsfargo.com
Subject: re: OWASP Conference Demo
Hello Jeremy
Thanks for your kind comments,
The tools that I was using to see the tokens and the metabase were the Owasp ANBS \
(Asp.Net Baseline Analyzer) v0.55 which you can download from here: \
http://www.owasp.net/Downloads/tabid/54/Default.aspx (last one on the list).
Attached is the Proof of Concept for the IIS Security Token Vulnerabiltity which I \
sent to Microsoft more than I year ago.
You might also find the videos \
(http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Videos.zip) \
and presentations from last year's owasp conference \
(http://prdownloads.sourceforge.net/owasp/)
Also read
- this thread for more details \
http://sourceforge.net/mailarchive/message.php?msg_id=12291340 and \
http://sourceforge.net/mailarchive/message.php?msg_id=12556189
- this post http://lists.netsys.com/pipermail/full-disclosure/2004-September/026732.html
Best regards
Dinis Cruz
Owasp .Net Project Leader
----------------------------------------
From: Jeremy.W.Long@wellsfargo.com
Sent: 14 October 2005 16:04
To: dinis@ddplus.net
Subject: OWASP Conference Demo
Hello,
I just got back from the OWASP Conference in DC and I wanted to say that your \
research on .NET is fascinating - I am looking forward to reading any papers you \
publish. I hope your negotiations with Microsoft go well.
I do have one question for you though - You were using a tool to harvest passwords \
and tokens from the IIS Metabase. What tool were you using and is it available?
Thanks,
Jeremy Long
Application Systems Engineer
Corporate Information Security - Code Review
[Attachment #3 (text/html)]
<font face="arial" size="2">now without the attachment (since sourceforge is bloking \
zip files)<br /><br /></font><font face="Tahoma, Arial, Sans-Serif" size="2"><hr \
align="center" size="2" width="100%" /><b>From</b>: "Dinis Cruz" \
<dinis@ddplus.net><br /><b>Sent</b>: 14 October 2005 17:37<br /><b>To</b>: \
Jeremy.W.Long@wellsfargo.com<br /><b>Subject</b>: re: OWASP Conference Demo</font><br \
/><br /><font face="arial" size="2">Hello Jeremy<br /> <br /> Thanks for your kind \
comments, <br /> <br /> The tools that I was using to see the tokens and the metabase \
were the Owasp ANBS (Asp.Net Baseline Analyzer) v0.55 which you can download from \
here: http://www.owasp.net/Downloads/tabid/54/Default.aspx (last one on the list).<br \
/> <br /> Attached is the Proof of Concept for the IIS Security Token Vulnerabiltity \
which I sent to Microsoft more than I year ago.<br /> <br /> You might also find the \
videos (http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Videos.zip) \
and presentations from last year's owasp conference \
(http://prdownloads.sourceforge.net/owasp/)<br /> <br /> Also read <br /> \
- this thread for more details \
http://sourceforge.net/mailarchive/message.php?msg_id=12291340 and \
http://sourceforge.net/mailarchive/message.php?msg_id=12556189 <br /> - this \
post http://lists.netsys.com/pipermail/full-disclosure/2004-September/026732.html<br \
/> <br /> Best regards<br /> <br /> Dinis Cruz<br /> Owasp .Net Project Leader<br /> \
<br /></font><font face="Tahoma, Arial, Sans-Serif" size="2"><hr align="center" \
size="2" width="100%" /><b>From</b>: Jeremy.W.Long@wellsfargo.com<br /><b>Sent</b>: \
14 October 2005 16:04<br /><b>To</b>: dinis@ddplus.net<br /><b>Subject</b>: OWASP \
Conference Demo</font><br /><br /> <!-- Converted from text/rtf format --> <p><font \
face="Arial" size="2">Hello,</font> </p> <p><font face="Arial" size="2">I just got \
back from the OWASP Conference in DC and I wanted to say that your research on .NET \
is fascinating - I am looking forward to reading any papers you publish. I hope \
your negotiations with Microsoft go well.</font></p> <p><font face="Arial" size="2">I \
do have one question for you though - You were using a tool to harvest passwords and \
tokens from the IIS Metabase. What tool were you using and is it \
available?</font></p> <p><font face="Arial" size="2">Thanks,</font> </p> <p><font \
face="Arial" size="2">Jeremy Long</font> <br /><font face="Arial" \
size="2">Application Systems Engineer</font> <br /><font face="Arial" \
size="2">Corporate Information Security – Code Review</font> <br /><font \
face="Arial" size="2"><br /> </font></p><br />
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic