The HP Security Laboratory Blog -
Sign in
|
Join
|
Help
SHOP PRODUCTS & SERVICES
EXPLORE & CREATE
CONNECT WITH OTHERS
SUPPORT & DRIVERS
COMMUNITY HOME
HP BLOGS
APP SECURITY BLOGS
APP SECURITY FORUMS
The HP Security Laboratory Blog
The HP Security Laboratory Blog
Home
Contact
Syndication
RSS for Posts
Atom
RSS for Comments
Recent Posts
SSLv3/TLS Renegotiation Stream Injection
Top Five Web Application Vulnerabilities 10/27/09 - 11/8/09
Now Hiring: HP Security Center Pen Tester
Take your %00 and shove it
HP Application Security Center at OWASP DC 11/11-13
Tags
Ajax
Application Security Center
breach
Cross-Site Scripting
data breach
hacked
hackers
Headers
HIPAA
HTML Injection
HTTP
Information Disclosure
Input Validation
JavaScript
Malware
Microsoft
Password Security
Personal Health Information
Privacy
Research
SQL Injection
vulnerabilities
Web Application Security
Wordpress
XSS
View more
Archives
May 2009 (5)
April 2009 (5)
March 2009 (5)
February 2009 (6)
January 2009 (7)
December 2008 (2)
November 2008 (1)
August 2008 (1)
June 2008 (1)
January 2008 (1)
December 2007 (2)
November 2007 (5)
October 2007 (1)
August 2007 (2)
July 2007 (2)
April 2007 (1)
March 2007 (1)
January 2007 (2)
December 2006 (1)
November 2006 (1)
October 2006 (2)
July 2006 (4)
June 2006 (5)
May 2006 (1)
April 2006 (2)
Sort by:
Most Recent
|
Most Viewed
|
Most Commented
SSLv3/TLS Renegotiation Stream Injection
Recently, Thursday 11/5/09, a few folks over on the IETF mailing list went public with a limited Man-in-the-Middle attack on SSLv3 and TLS. There has been quite a bit of press coverage on this issue's severity. However, the way this attack can be...
Published
11-16-2009 11:00 AM
by
matt wood
Filed under:
Research
,
TLS
,
SSLv3
,
MitM
Top Five Web Application Vulnerabilities 10/27/09 - 11/8/09
1) HP Power Manager Management Web Server Login Remote Code Execution Vulnerability HP Power Manager is susceptible to a remote code execution vulnerability via the login form of the web based management web server due to improper bounds-checking of user...
Published
11-09-2009 8:29 PM
by
mark.painter
Filed under:
SQL Injection
,
Cross-Site Scripting
,
Cross-Site Request Forgery
Now Hiring: HP Security Center Pen Tester
HP is looking for a qualified Sr. Application Security Consultant that has deep Application Security experience. Consultant should have experience with performing Web Application Assessments, Network Penetration Testing, and be capable of manually exploiting...
Published
11-05-2009 6:40 PM
by
mark.painter
Filed under:
Pen Tester
Take your %00 and shove it
We've recently been optimizing our Local File Inclusion (LFI) audit engine. Part of that effort has included poking around in different frameworks (php, .NET, java, ruby/rails, python, perl... etc) and seeing how many ways a developer might fall prey...
Published
11-04-2009 11:05 AM
by
matt wood
Filed under:
PHP
,
Null Byte
,
Audit Engines
,
Local File Inclusion
,
LFI
,
%00 byte
HP Application Security Center at OWASP DC 11/11-13
The HP Application Security Center has several presentations at the upcoming OWASP Global Summit In Washington, DC. Ryan English, Rafal Los, Dennis Hurst and Kim Dinerman will all be there. More information about the summit can be found here: OWASP Global...
Published
11-03-2009 9:26 PM
by
mark.painter
Filed under:
OWASP
,
SANS
,
Dennis Hurst
,
Caleb Sima
,
Matt Wood
WebInspect Tips: Changing settings to improve scans
Although running WebInspect with ‘out of the box’ scans settings might be the easiest way to start a scan, it is almost sure to produce unexpected results. Configuring any web application scanner is tricky, but by following these simple steps...
Published
10-28-2009 7:41 PM
by
todd.densmore
Filed under:
WebInspect
,
Web Application Security
Top Five Web Application Vulnerabilities 10/12/09 - 10/25/09
1) TYPO3 Core Multiple Vulnerabilities TYPO3 is susceptible to multiple remote vulnerabilities including SQL-injection, Cross-Site Scripting, information disclosure, frame and session hijacking, and shell-command-execution issues. Each of these issues...
Published
10-26-2009 9:11 PM
by
mark.painter
Filed under:
SQL Injection
,
Cross-Site Scripting
,
HTML Injection
Organizations are not adequately protecting E-health records
The American Recovery and Reinvestment Act of 2009 (aka the stimulus package) included funds to both implement electronic health records and rules to specifically improve personal health information breach notification rules. It’s ironic, then,...
Published
10-23-2009 8:09 PM
by
mark.painter
Filed under:
HIPAA
,
Personal Health Information
,
breach
,
e-health records
Top Five Web Application Vulnerabilities 9/28/09 - 10/11/09
1) Juniper Networks JUNOS J-Web Multiple Cross-Site Scripting And HTML Injection Vulnerabilities Juniper Networks JUNOS is susceptible to multiple Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation of these vulnerabilities...
Published
10-12-2009 8:12 PM
by
mark.painter
Filed under:
Cross-Site Scripting
,
HTML Injection
85% of IT security decision makers think successful external attacks very unlikely
A new report this week from ITC reveals that eighty-five percent of IT security decision makers think that losing data via an external threat is "very unlikely." Wow. Once upon a time, anyone involved in application security had a need to educate...
Published
10-09-2009 7:19 PM
by
mark.painter
Filed under:
Web Application Security
,
hackers
Budget pressures still leading to increased risks
The Independent Oracle Users Group (IOUG) just released a database security survey of their members. As we've recently seen a lot, budget pressures are once again leading to increased risks. Organizations know there is a problem, understand it's...
Published
10-05-2009 7:21 PM
by
mark.painter
Filed under:
breach
Top Five Web Application Vulnerabilities 9/14/09 - 9/27/09
1) Novell GroupWise WebAccess Cross-Site Scripting Vulnerability Novell GroupWise WebAccess is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this vulnerability to execute script code in the browser of an unsuspecting user...
Published
09-28-2009 8:43 PM
by
mark.painter
Filed under:
SQL Injection
,
Cross-Site Scripting
,
HTML Injection
,
OSSIM
60% of Internet attacks now conducted against web applications
New studies have gone a long way in confirming that certain web application security trends are accelerating. The SANS Top Cyber Security Risks report reveals that a full 60% of Internet attacks are now conducted against web applications. It's no...
Published
09-25-2009 2:57 PM
by
mark.painter
Filed under:
SQL Injection
,
Cross-Site Scripting
,
SANS
Is your .svn showing (like 3300 other sites)?
TechCrunch has an article (pointing back to a Russian security company blog post (translated link)), detailing a scan of 2,253,388 web sites which yielded an amazing 3,320 Subversion's .svn directories. In case you're you're not familiar with...
Published
09-24-2009 3:13 PM
by
Chris Sullo
%3c has always been a friend of mine
Ask a developer what's the ASCII code of "A" and most should be able to tell you 65. The good ones will tell you 0x41. If you ask them they should be able to tell you some more off the top of their head. Space... 32, quote... 34, "a"...
Published
09-17-2009 3:59 PM
by
billyhoffman
1
2
3
4
5
Next >
...
Last »
Privacy Statement