The HP Security Laboratory Blog

Top Five Web Application Vulnerabilities 10/27/09 - 11/8/09

mark.painter — Mon, 09 Nov 2009 20:29:00 GMT

1) HP Power Manager Management Web Server Login Remote Code Execution Vulnerability HP Power Manager is susceptible to a remote code execution vulnerability via the login form of the web based management web server due to improper bounds-checking of user...(read more)

Now Hiring: HP Security Center Pen Tester

mark.painter — Thu, 05 Nov 2009 18:40:00 GMT

HP is looking for a qualified Sr. Application Security Consultant that has deep Application Security experience. Consultant should have experience with performing Web Application Assessments, Network Penetration Testing, and be capable of manually exploiting...(read more)

Take your %00 and shove it

matt wood — Wed, 04 Nov 2009 11:05:00 GMT

We've recently been optimizing our Local File Inclusion (LFI) audit engine. Part of that effort has included poking around in different frameworks (php, .NET, java, ruby/rails, python, perl... etc) and seeing how many ways a developer might fall prey...(read more)

HP Application Security Center at OWASP DC 11/11-13

mark.painter — Tue, 03 Nov 2009 21:26:00 GMT

The HP Application Security Center has several presentations at the upcoming OWASP Global Summit In Washington, DC. Ryan English, Rafal Los, Dennis Hurst and Kim Dinerman will all be there. More information about the summit can be found here: OWASP Global...(read more)

WebInspect Tips: Changing settings to improve scans

todd.densmore — Wed, 28 Oct 2009 19:41:00 GMT

Although running WebInspect with ‘out of the box’ scans settings might be the easiest way to start a scan, it is almost sure to produce unexpected results. Configuring any web application scanner is tricky, but by following these simple steps...(read more)

Top Five Web Application Vulnerabilities 10/12/09 - 10/25/09

mark.painter — Mon, 26 Oct 2009 21:11:00 GMT

1) TYPO3 Core Multiple Vulnerabilities TYPO3 is susceptible to multiple remote vulnerabilities including SQL-injection, Cross-Site Scripting, information disclosure, frame and session hijacking, and shell-command-execution issues. Each of these issues...(read more)

Organizations are not adequately protecting E-health records

mark.painter — Fri, 23 Oct 2009 20:09:00 GMT

The American Recovery and Reinvestment Act of 2009 (aka the stimulus package) included funds to both implement electronic health records and rules to specifically improve personal health information breach notification rules. It’s ironic, then,...(read more)

Top Five Web Application Vulnerabilities 9/28/09 - 10/11/09

mark.painter — Mon, 12 Oct 2009 20:12:00 GMT

1) Juniper Networks JUNOS J-Web Multiple Cross-Site Scripting And HTML Injection Vulnerabilities Juniper Networks JUNOS is susceptible to multiple Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation of these vulnerabilities...(read more)

85% of IT security decision makers think successful external attacks very unlikely

mark.painter — Fri, 09 Oct 2009 19:19:00 GMT

A new report this week from ITC reveals that eighty-five percent of IT security decision makers think that losing data via an external threat is "very unlikely." Wow. Once upon a time, anyone involved in application security had a need to educate...(read more)

Budget pressures still leading to increased risks

mark.painter — Mon, 05 Oct 2009 19:21:00 GMT

The Independent Oracle Users Group (IOUG) just released a database security survey of their members. As we've recently seen a lot, budget pressures are once again leading to increased risks. Organizations know there is a problem, understand it's...(read more)

Top Five Web Application Vulnerabilities 9/14/09 - 9/27/09

mark.painter — Mon, 28 Sep 2009 20:43:00 GMT

1) Novell GroupWise WebAccess Cross-Site Scripting Vulnerability Novell GroupWise WebAccess is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this vulnerability to execute script code in the browser of an unsuspecting user...(read more)

60% of Internet attacks now conducted against web applications

mark.painter — Fri, 25 Sep 2009 14:57:00 GMT

New studies have gone a long way in confirming that certain web application security trends are accelerating. The SANS Top Cyber Security Risks report reveals that a full 60% of Internet attacks are now conducted against web applications. It's no...(read more)

Is your .svn showing (like 3300 other sites)?

Chris Sullo — Thu, 24 Sep 2009 15:13:00 GMT

TechCrunch has an article (pointing back to a Russian security company blog post (translated link)), detailing a scan of 2,253,388 web sites which yielded an amazing 3,320 Subversion's .svn directories. In case you're you're not familiar with...(read more)

%3c has always been a friend of mine

billyhoffman — Thu, 17 Sep 2009 15:59:00 GMT

Ask a developer what's the ASCII code of "A" and most should be able to tell you 65. The good ones will tell you 0x41. If you ask them they should be able to tell you some more off the top of their head. Space... 32, quote... 34, "a"...(read more)

HTML 5 Form Tags a Risk?

Chris Sullo — Thu, 17 Sep 2009 14:01:00 GMT

I've tried to keep up with new HTML 5 features, but Billy recently pointed out that INPUT tags have the ability to set regular expression patterns for validation directly in the markup. I think this is nifty and, at least in the demo I tried , a very...(read more)