The HP Security Laboratory Blog - All Comments

re: SSLv3/TLS Renegotiation Stream Injection

chris sullo — Mon, 16 Nov 2009 16:44:54 GMT

Twitter usernames & passwords were gathered via this bug in a real-world exploit.

www.securityfocus.com/.../11564

re: Take your %00 and shove it

Jeff Williams — Wed, 11 Nov 2009 18:32:24 GMT

For Java, you can try the SafeFile class available in the ESAPI library, which prevents null-byte injection.

re: WebInspect Tips: Changing settings to improve scans

todd.densmore — Mon, 09 Nov 2009 21:33:27 GMT

@Varun

Can you give me more details about your problem? Does your IT department require a connection through a proxy? Step 4 of the Scan Wizard allows the configuration of a web proxy, which might be needed in your case. If you need more general WebInspect support, please feel free to call our support hotline:

1. Call 1-800-633-3600.

2. Select option #2 for Software.

3. Enter your SAID (Service Agreement ID) followed by #.

4. Select option #1 for Enterprise Application Software.

5. Select option #5 for Application Security Center

re: WebInspect Tips: Changing settings to improve scans

whips04r — Mon, 09 Nov 2009 01:22:57 GMT

Man Farsi ra sohbet khardoom ;)

Always wise to ommitt the Form/Field that changes an Account's password from the FormValues File. Using the default FormValues is always a risky thing to do, I never do it on Production. And keep in mind the 'Default' value will be used for any field that isn't specified within the file!

re: HP Application Security Center at OWASP DC 11/11-13

E-Learning in Information Security — Sat, 07 Nov 2009 06:59:48 GMT

Thanks for the great information.

I really enjoy reading your blog, it is very useful for us.

re: Take your %00 and shove it

matt wood — Fri, 06 Nov 2009 21:46:04 GMT

@Jericho. Absolutely, the results from google code are not guaranteed to be vulns. However its a pretty good way to find poor design decisions that use language API's insecurely.

So if your interested, as we were, about the most common ways developers fall prey to LFI, searching code is pretty helpful. Even if each specific search result isn't a vuln, the usage pattern is probably repeated plenty of times.

re: WebInspect Tips: Changing settings to improve scans

varun.asok@oracle.com — Fri, 06 Nov 2009 09:37:36 GMT

Hi,

i'm getting an error while using this web inspect. its an intranet site ssl based. the error which i'm getting is "The request was canceled by Web Proxy". Wat is the proxy should i set. ?

Social comments and analytics for this post

uberVU - social comments — Fri, 06 Nov 2009 07:24:35 GMT

This post was mentioned on Twitter by HP_AppSecurity: HP Security Center seeking to hire a Pen Tester...details and application information are available at http://bit.ly/1nSjoQ #jobs #security

re: Take your %00 and shove it

Jericho — Wed, 04 Nov 2009 20:03:35 GMT

Beware of the "grep and gripe" approach. This is why there are dozens of 'myth/fake' entries in OSVDB.org. It's easy to search for vulnerabilities with grep, but they are not always straight-forward.

Searching GoogleCode for vulnerabilities when it came out a while back, showed that searches for "vulnerability" or "security" could find interesting things as developers would comment their code.

re: %3c has always been a friend of mine

Martin Hall — Tue, 03 Nov 2009 17:34:55 GMT

%22

%2b

(those two can help in bypassing the basic aspx bracket filters).

Also some others of note

%00

and anything else that html can't usually render.

for example XML will have issues attempting to render



Most DB's can handle those but if the site takes the input from the DB unchecked it will fail at render time.

Social comments and analytics for this post

uberVU - social comments — Tue, 27 Oct 2009 10:06:24 GMT

This post was mentioned on Twitter by HP_AppSecurity: Top Five Web Application Vulnerabilities 10/12/09 - 10/25/09: http://bit.ly/2KWTyV #security #web

re: How to clean up a hacked WordPress installation

sd speicherkarten — Thu, 15 Oct 2009 04:12:46 GMT

Very nice post bro, I hope you could have posted it lill before to help me out of this situation… lol

Anyhow, I am sure it will be very helpful to some else who is stucked in such situation. Thanks for the useful post

re: 24 Hour Live Hacking Challenge

whips04r — Mon, 12 Oct 2009 04:22:05 GMT

Gah! I swear I did try debug as a GET parameter name, guess I forgot to check the HTML source :( Went so far as to install FirePHP ontop of FireBug with the hope that'd turn debug mode on. I hate you guys for making such a secure challenge :)

re: 24 Hour Live Hacking Challenge

matt wood — Fri, 09 Oct 2009 19:53:19 GMT

In order to pass the 8th level, you had a view the source code and read the HTML comments. The comments suggested there was a debug mode, the intuition here would have been to try requesting the page with some kind of debug mode enabled. This turned out to be enabled by just requesting the page with a query parameter named debug.

Unfortunately for your attempts to exploit the email system... the email address was only recorded once, the other times it was just kinda ignored :)

re: 24 Hour Live Hacking Challenge

whips04r — Fri, 09 Oct 2009 00:06:38 GMT

Am really interested to know how one would pass level 8! I saw a few peeps got it but all my attempts were in vain :( I had to resort to exploiting (seemingly existent) logic flaws in the scoring functionality whereby I hopefully overwrote the email address of some winners - am still waiting to receive my prize :)