ASP.NET MVC – XSS and AutoBind vulns in MVC Example

A while back (while in the middle of the research that lead to the publishing of the Security Vulnerabilities in the Spring Framework Model View Controller) I decided to check out if the (still in beta) ASP.NET MVC framework was vulnerable to it.

At first quick analysis it looks vulnerable to the AutoBinding issue (and also to XSS), so here is my draft research notes as download file ASP.NET MVC - XSS and AutoBind vulns in MVC).

Please let me know if I am missing something obvious, or maybe there is something on the new version that prevents this:
Some MVC related links:

• latest blog post from Scott G http://weblogs.asp.net/scottgu/archive/2008/09/02/asp-net-mvc-preview-5-and-form-posting-scenarios.aspx
• Download latest version: http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=16775
• http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
• http://www.asp.net/mvc/

OWASP NYC Conference 2008

Just returned to London from the OWASP NYC Conference and as always it was a great experience (this was the biggest OWASP conference so far)

In addition to participating on the keynote speech, I delivered two presentations: OWASP Summit 2008 and 'Building a tool for Security consultants: A story of a customized source code'.

This last presentation was a variation of my previous two posts (OunceLabs releases my research tools under an Open Source License... , So what can I do with O2) and the questions I had after the presentation plus the multiple positive comments/conversations, tell me that the message that I wanted to pass was well understood and received (here is a blog post with a outline of the presentation and here is blog post that provide a good description of what wanted to say: OWASP NYC AppSec 2008 and NYSec Recap )

So what can I do with O2?

In my first post (http://diniscruz.blogspot.com/2008/09/ouncelabs-releases-my-research-tools.html) I explained why I created O2 and how it fits in Ounce’s world. In this post I will delve into what O2 allows me to do and how it revolutionized the way I perform source code security assessments.

It is probably better if I first explain how I approach these types of projects so that I can them show how O2 first perfectly into it.

This is the way I view these security assessments: There is a client who is paying me to review their web application for issues that might have business impact, where I am also expected to help to identify the underlying root causes of the issues discovered and provide assistance with the possible remediation paths. The client usually looks at me for guidance on what I need to do my job, and expects in return objective answers.

OunceLabs releases my research tools under an Open Source license (it’s called O2 and is hosted at CodePlex

Hello, as you probably know I have been consulting with OunceLabs (http://www.ouncelabs.com) for the past 18 Months, and on the last 9 months I have been deeply involved on an internal project which I am very excited about and is now going to be released under an Open Source license (go Ounce!!!)

One of my tasks at OunceLabs was to make their technology 'Work' from the point of view of an advanced security consultant (like me). By 'Work' I mean create a model that uses (sorry for the cliché) People + Process + Ounce Technology whereby the later (Ounce Technology) is used throughout an entire engagement (versus the current model where it is mainly used at the beginning of the engagement or to perform specific analysis).