[SCIP] Indentify, Enumerate & Execute Invisible ASP.net Controls

SCIP is an OWASP ZAP extension designed to assess the security of ASP.net and Mono applications, while abusing platform specific behaviors and misconfigurations. 
The extension currently supports the following features: 

Identify the existence of invisible, commented and disabled server side web controls in ASP.net – passively (!). Identify which ASP.net security configuration is active in each page (EventValidation, MAC), and in which cases the invisible controls are exploitable – passively (!) 
Enumerate the names of invisible controls using built-in customizable dictionaries with ASP.net naming conventions.  Rebuild the event validation whenever possible (MAC=off)
Execute invisible controls when either one of the security features is turned OFF, or when there is a server-side callback implementation flaw.  Execute disabled controls and commented out controls regardless of security Support additional manual techniques for executing controls despite the security features.
The extension can be obtained from the project’s website or from ZAP’s built-in marketplace feature: 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s