The HP Security Laboratory Blog - All Comments

re: Take your %00 and shove it

matt wood — Fri, 06 Nov 2009 21:46:04 GMT

@Jericho. Absolutely, the results from google code are not guaranteed to be vulns. However its a pretty good way to find poor design decisions that use language API's insecurely.

So if your interested, as we were, about the most common ways developers fall prey to LFI, searching code is pretty helpful. Even if each specific search result isn't a vuln, the usage pattern is probably repeated plenty of times.

Social comments and analytics for this post

uberVU - social comments — Fri, 06 Nov 2009 07:24:35 GMT

This post was mentioned on Twitter by HP_AppSecurity: HP Security Center seeking to hire a Pen Tester...details and application information are available at http://bit.ly/1nSjoQ #jobs #security

re: Take your %00 and shove it

Jericho — Wed, 04 Nov 2009 20:03:35 GMT

Beware of the "grep and gripe" approach. This is why there are dozens of 'myth/fake' entries in OSVDB.org. It's easy to search for vulnerabilities with grep, but they are not always straight-forward.

Searching GoogleCode for vulnerabilities when it came out a while back, showed that searches for "vulnerability" or "security" could find interesting things as developers would comment their code.

re: %3c has always been a friend of mine

Martin Hall — Tue, 03 Nov 2009 17:34:55 GMT

%22

%2b

(those two can help in bypassing the basic aspx bracket filters).

Also some others of note

%00

and anything else that html can't usually render.

for example XML will have issues attempting to render



Most DB's can handle those but if the site takes the input from the DB unchecked it will fail at render time.

Social comments and analytics for this post

uberVU - social comments — Tue, 27 Oct 2009 10:06:24 GMT

This post was mentioned on Twitter by HP_AppSecurity: Top Five Web Application Vulnerabilities 10/12/09 - 10/25/09: http://bit.ly/2KWTyV #security #web

re: How to clean up a hacked WordPress installation

sd speicherkarten — Thu, 15 Oct 2009 04:12:46 GMT

Very nice post bro, I hope you could have posted it lill before to help me out of this situation… lol

Anyhow, I am sure it will be very helpful to some else who is stucked in such situation. Thanks for the useful post

re: 24 Hour Live Hacking Challenge

whips04r — Mon, 12 Oct 2009 04:22:05 GMT

Gah! I swear I did try debug as a GET parameter name, guess I forgot to check the HTML source :( Went so far as to install FirePHP ontop of FireBug with the hope that'd turn debug mode on. I hate you guys for making such a secure challenge :)

re: 24 Hour Live Hacking Challenge

matt wood — Fri, 09 Oct 2009 19:53:19 GMT

In order to pass the 8th level, you had a view the source code and read the HTML comments. The comments suggested there was a debug mode, the intuition here would have been to try requesting the page with some kind of debug mode enabled. This turned out to be enabled by just requesting the page with a query parameter named debug.

Unfortunately for your attempts to exploit the email system... the email address was only recorded once, the other times it was just kinda ignored :)

re: 24 Hour Live Hacking Challenge

whips04r — Fri, 09 Oct 2009 00:06:38 GMT

Am really interested to know how one would pass level 8! I saw a few peeps got it but all my attempts were in vain :( I had to resort to exploiting (seemingly existent) logic flaws in the scoring functionality whereby I hopefully overwrote the email address of some winners - am still waiting to receive my prize :)

re: Microsoft's ClickOnce Firefox add-on

Roberto — Sun, 04 Oct 2009 09:56:47 GMT

cool blog

re: %3c has always been a friend of mine

MichaelSchratt — Fri, 02 Oct 2009 08:58:31 GMT

Do not forget %25 :)

re: How to clean up a hacked WordPress installation

lilikindsli — Thu, 01 Oct 2009 09:32:11 GMT

dzbXi0 I want to say - thank you for this!

re: HTML 5 Form Tags a Risk?

lilikindsli — Thu, 01 Oct 2009 07:26:37 GMT

V3gbAY I want to say - thank you for this!

re: Is your .svn showing (like 3300 other sites)?

lilikindsli — Wed, 30 Sep 2009 14:20:04 GMT

aYHkm4 I want to say - thank you for this!

re: Two Emerging Trends in Web Application Security

software developers — Wed, 30 Sep 2009 10:49:26 GMT

Humm... interesting,

It is great that new technologies, exist on both client and server sides.

Thanks for writing about it