Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

Michael Hidalgo wrote this great article on using O2 to exploit an overposting (i.e. auto-binding) vuln in an ASP.NET MVC demo app: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

As you can notice that was posted on CodeProject.com which has always been a good source of technical content for me (although not a site I would use everyday). That said, I'm starting to like the new version of http://codeproject.com and this could be a great place to post O2-related technical articles.

On the Asp.NET MVC topic, if you are interested, here are a couple related posts:

• Why ASP.NET MVC is 'insecure by design' , just like Spring MVC (and why SAST can help) 
• Current O2 support for analyzing Spring MVC 
• "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)

The next step is to see how we can write SAST rules (maybe executed by Cat.NET) to find these issues on the source code.

I really don't have hard numbers, but I will bet that the number of Asp.NET apps vulnerable is really high (just like what happens with the Spring Framework MVC)