The HP Security Laboratory Blog -

The HP Security Laboratory Blog

Sort by: Most Recent | Most Viewed | Most Commented

  • Finding SQL Injection with Scrawlr

    You have likely been tracking the mass SQL Injections that are currently sweeping through the net. Just last night I was shopping on www.ihomeaudio.com when I noticed they had been injected (they have since fixed their site). HP started to observe these...

  • Exposing Flash Application Vulnerabilities with SWFScan

    After months of hard work and late caffeine-fueled nights, HP’s Web Security Research Group is proud to release HP SWFScan . HP SWFScan is a free Windows-based security tool to help developers find and fix security vulnerabilities in applications developed...
    Filed under: ,

  • Jikto in the wild

    It appears that the source code to Jikto is in the wild. I suppose it was only a matter of time, even though as you will see SPI to extreme steps to prevent this from happening. As my Shmoocon presentation slides discuss , Jikto bypasses the "Same...
    Published 04-02-2007 12:19 PM by Billy
    Filed under:

  • SPI Labs advises avoiding iPhone feature

    The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various...
    Published 07-16-2007 3:40 PM by Billy
    Filed under: ,

  • IE7 - Phishing vs. Privacy

    Today I was testing WebInspect on my newly installed version of Vista with IE7 and found something startling. When running a browser through a proxy you can see soap requests being made to Microsoft as you hit each page. Here is what the requests look...

  • Speaking at Shmoo

    I’m really excited to be speaking at Shmoocon again and especially excited about my presentation this Saturday at 1pm. Javascript Malware for a Gray Goo Tomorrow focuses on the increased scope of damage caused by Cross-Site Scripting (XSS) vulnerabilities...
    Published 03-22-2007 5:05 PM by Billy
    Filed under: , ,

  • Ajax Webcast Questions

    Please post any questions/comments/discussions you have with our Ajax (in)security webcast here and I'll do my best to answer them here. For those who haven't seen the WebCast yet, you can get there by going here: https://download.spidynamics...
    Published 10-13-2006 1:30 PM by Billy
    Filed under:

  • Xbox Live: The "Roach Motel" of Personal Information

    Now I know I'm a bit behind the curve, but I finally got around to purchasing an Xbox Live Gold membership so I could see how bad I really am at Gears of War. For a brief moment, I felt like Private Pyle from "Full Metal Jacket" cleaning...
    Filed under:

  • XSS+phishing in Italian bank hack

    Netcraft is reporting today about a phishing attack leveraging XSS against an Italian bank. From the article (emphasis mine) An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to...
    Published 01-10-2008 11:43 AM by Billy
    Filed under: , ,

  • Digging into ASP.NET RegEx Validators

    RegEx Validators are handy for implementing Whitelist input validation (our DevInspect product has a library of a hundred or so) so it pays to see what they actually do under the covers. The following code is from the class System.Web.UI.WebControls.RegularExpressionValidator...
    Published 11-20-2007 2:01 PM by Billy
    Filed under:

  • XSS+Ajax worm attacking Yahoo mail users

    At the beginning of the week, Yahoo was attacked by a worm that propagates using nothing but JavaScript and Ajax. I've been giving interviews to the press all day and talked with the FBI about the worm, so let me take a moment to fill you all in....
    Published 06-13-2006 4:58 PM by Billy
    Filed under: ,

  • SQL Injecting Microsoft Access

    It is widely believed that retrieving data from a Microsoft Access database using SQL Injection is more difficult than more robust databases such as MySQL or SQL Server. There are two reasons for this misconception. First, widely employed “Convert/cast...

  • IE's Bookmarklet limits create privacy risk

    Bookmarklets are awesome! They are similar to regular bookmarks, but instead of having a normal URL like http:// they use javascript :. This means when you click on the bookmarklet JavaScript code runs. Some common example's of bookmarklets include...
    Published 01-02-2007 4:09 PM by Billy
    Filed under: ,

  • HP SWFScan FAQ

    What is HP SWFScan? HP SWFScan is a free (as in beer) Flash security tool. The tool decompiles and audits applications written for the Flash platform. How do you pronounce HP SWFScan? HP “SwiffScan” Who developed this [censored]ing awesome security tool...

  • Microsoft's ClickOnce Firefox add-on

    With Firefox, I just went to download a certain new version 2.0 web browser and and was surprised that after hitting the license accept button Firefox started up an installer, downloaded the application and installed it without any prompts or questions...
    Filed under:
1 2 3 4 5 Next > ... Last »
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems