The HP Security Laboratory -
Sign in
|
Join
|
Help
SHOP PRODUCTS & SERVICES
EXPLORE & CREATE
CONNECT WITH OTHERS
SUPPORT & DRIVERS
COMMUNITY HOME
HP BLOGS
APP SECURITY BLOGS
APP SECURITY FORUMS
The HP Security Laboratory
The HP Security Laboratory
Home
Contact
Syndication
RSS for Posts
Atom
RSS for Comments
Recent Posts
News of Michael Jackson's death blazes across the web--what if it were a hoax?
Uncharted Territories: the personal-corporate-social-web-mashup
Top Five Web Application Vulnerabilities 6/08/09 - 6/23/09
Hello darknets, my old friend...
Top Five Web Application Vulnerabilities 5/26/09 - 6/07/09
Tags
Ajax
Ajax Security Book
cross-site scripting
Firefox
hacked
hackers
Headers
hipaa
HTTP
information disclosure
input validation
JavaScript
malware
Microsoft
Password Security
policy
Privacy
Research
security
SQL Injection
testing methodology
top five web application vulnerabilities
vulnerabilities
web application security
XSS
View more
Archives
May 2009 (5)
April 2009 (5)
March 2009 (5)
February 2009 (6)
January 2009 (7)
December 2008 (2)
November 2008 (1)
August 2008 (1)
June 2008 (1)
January 2008 (1)
December 2007 (2)
November 2007 (5)
October 2007 (1)
August 2007 (2)
July 2007 (2)
April 2007 (1)
March 2007 (1)
January 2007 (2)
December 2006 (1)
November 2006 (1)
October 2006 (2)
July 2006 (4)
June 2006 (5)
May 2006 (1)
April 2006 (2)
Sort by:
Most Recent
|
Most Viewed
|
Most Commented
News of Michael Jackson's death blazes across the web--what if it were a hoax?
Over at the SEOmozBlog , Danny Dover has a really interesting post about how, and how fast, the news of Michael Jackson's death travelled across the web. I won't go through it here, but it's a fascinating read. Less than an hour after the...
Published
06-26-2009 5:59 PM
by
Chris Sullo
Filed under:
malware
,
phishing
Uncharted Territories: the personal-corporate-social-web-mashup
Corporate web communications have grown from simple web pages to massive and complex applications. The security department has mostly kept up and maintained a secure perimeter—even when that perimeter included outsourced and vendor systems. Contracts...
Published
06-24-2009 3:19 PM
by
Chris Sullo
Filed under:
security
,
hacked
,
policy
,
web application security
Top Five Web Application Vulnerabilities 6/08/09 - 6/23/09
1) F5 Networks FirePass SSL VPN Unspecified Cross-Site Scripting Vulnerability F5 Networks FirePass SSL VPN is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create...
Published
06-23-2009 7:04 PM
by
mark.painter
Filed under:
information disclosure
,
Apache Tomcat
,
FireStats
,
F5 Networks FirePass SSL VPN
,
cross-site scripting
,
ModSecurity
,
remote file include
Hello darknets, my old friend...
Billy Hoffman and Matt Wood of the HP Web Security Research Group are generating serious heat with their upcoming BlackHat USA presentation which will detail their browser-based darknet. Articles on Dark Reading, Forbes.com, and Slashdot are just the...
Published
06-17-2009 6:31 PM
by
mark.painter
Filed under:
blackhat usa
,
darknet
Top Five Web Application Vulnerabilities 5/26/09 - 6/07/09
1) Sun Java System Web Server Reverse Proxy Plug-in Cross-Site Scripting Vulnerability Sun Java System Web Server is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies...
Published
06-08-2009 7:06 PM
by
mark.painter
Filed under:
SQL Injection
,
cross-site scripting
,
PHP-Nuke
,
IBM FileNet Content Manager
,
Sun Java System Web Server
,
Apache Tomcat
,
phpBugTracker
Talking Headers: Part 3: The Fun
In Part 1 of the series on interesting headers, I talked about leaking hostnames. In Part 2 , it was PHP errors. In Part 3 I bring you... the funny stuff. Not funny, like how Mark Mcgwire's rookie card is now $5 on ebay compared to the hundreds it...
Published
06-08-2009 12:29 PM
by
Chris Sullo
Filed under:
Research
,
HTTP
,
Headers
,
humor
Schneier on security in the age of cloud computing
Bruce Schneier offers a great perspective on why security is even more important in the age of cloud computing. As the expression goes, three can keep a secret if two of them are dead. In a nutshell, cloud computing forces you to increase the number of...
Published
06-04-2009 4:03 PM
by
mark.painter
Filed under:
security
,
cloud computing
,
bruce schneier
Talking Headers: Part 2
While my rookie Mark McGwire cards aren't appreciating at all, my header collection is. Check these actual headers out: php warning: Unknown(): Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20020429/mysql.so'...
Published
06-03-2009 1:30 PM
by
Chris Sullo
Filed under:
Research
,
HTTP
,
Headers
,
PHP
Hacking has evolved
This is a great article about the value of a hacked PC to an attacker. While this focuses on personal PCs, all of these reasons can also apply to compromised web servers. Remember, web hacking has evolved. Script kiddies began by defacing web sites and...
Published
06-02-2009 2:22 PM
by
mark.painter
Filed under:
web application security
,
hackers
Instant High Score!
One of our security researchers just happened to stumble across this interesting Highscores area of a free Flash skeet shooting game. Notice scores 6-10. Now I'm not saying he had anything to do with this. What I am saying is that if your query parameters...
Published
05-29-2009 5:49 PM
by
mark.painter
Filed under:
web application security
,
hackers
Talking Headers: Part 1
Some people collect coins, DVDs or comic books. Others collect cars or Star Wars toys. Among other things, I like to collect HTTP headers. They take up a lot less space than cars, and can have a much higher return value than Mark McGwire's rookie...
Published
05-29-2009 2:58 PM
by
Chris Sullo
Filed under:
Research
,
HTTP
,
Headers
Social Insecurity
Not too long ago, one could trust the big corporate names to run clean websites. You had to go surfing down some shady back alleys of the web to expose yourself to malware. Those were the naïve days of the pre-adolescent internet, when firewalls...
Published
05-28-2009 8:57 PM
by
todd.densmore
Filed under:
malware
,
security
,
social networks
Top Five Web Application Vulnerabilities 5/12/09 - 5/25/09
1) Novell GroupWise WebAccess Multiple Security Vulnerabilities Novell GroupWise WebAccess is susceptible to multiple vulnerabilities including Cross-Site Scripting and issues of security restriction bypass. Attackers who successfully exploit these vulnerabilities...
Published
05-27-2009 3:16 PM
by
mark.painter
Filed under:
XSS
,
phpMyAdmin
,
top five web application vulnerabilities
,
PHPCode Injection
,
Sun Java System Communications Express
,
Sun Java System Portal Server
,
Novell GroupWise WebAccess
The Internet is an unsafe place
Two recent studies have cast some light on the current state of web application security. How bad is it out there? Bad. 82% of web sites had either a Critical, High, or Urgent vulnerability within the past calendar year, with Cross-Site Scripting being...
Published
05-22-2009 3:36 PM
by
mark.painter
Filed under:
hackers
,
cross-site scripting
,
Application Management Lifecycle
,
ALM
Microsoft's ClickOnce Firefox add-on
With Firefox, I just went to download a certain new version 2.0 web browser and and was surprised that after hitting the license accept button Firefox started up an installer, downloaded the application and installed it without any prompts or questions...
Published
05-22-2009 2:35 PM
by
Chris Sullo
Filed under:
security
,
Firefox
,
Microsoft
,
browser
1
2
3
4
5
Next >
...
Last »
Privacy Statement