HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: January 2011

Top Ten Web Application Vulnerabilities 1/17/2010 - 1/30/2010

1) Oracle Database and Enterprise Manager Grid Control Remote Code Execution Vulnerability

 

Oracle Database and Enterprise Manager Grid is susceptible to a remote code execution vulnerability that will give an attacker the means to execute arbitrary code within context of the application. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45883

 

2) Oracle Audit Vault CVE-2010-4449 Remote Code Execution Vulnerability

 

Oracle Audit Vault is susceptible to a remote code execution vulnerability that can give an attacker the means to execute arbitrary code with elevated privileges, possibly leading to a complete system compromise. Updates which resolve this vulnerability have been released. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/45844

 

3) Oracle Fusion Middleware CVE-2010-4416 Remote Code Execution Oracle GoldenGate Veridata Vulnerability

 

Oracle Fusion Middleware is susceptible to a remote code execution vulnerability in Oracle GoldenGate Veridata that will give an attacker the means to execute arbitrary code within context of the application. Failed attempts will likely result in a Denial of Service condition.  Updates which resolve this vulnerability have been released. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/45868

 

4) Oracle Fusion Middleware CVE-2010-4417 Beehive Remote Code Execution Vulnerability

 

Oracle Fusion Middleware is susceptible to a remote code execution vulnerability in Beehive that will could give an attacker the means to execute arbitrary code within context of the application. Updates which resolve this vulnerability are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/45854

 

5) Oracle Enterprise Manager Real User Experience Insight (RUEI) SQL Injection Vulnerability

 

Oracle Enterprise Manager Real User Experience Insight (RUEI) is susceptible to a SQL Injection vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. Updates which resolve this vulnerability are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/45874

 

6) Oracle Database Vault Cross-Site Request Forgery Vulnerability

 

Oracle Database Vault  is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains. Updates which resolve this vulnerability have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45905

 

7) HP Business Availability Center and Business Service Management Cross-Site Scripting Vulnerability

HP Business Availability Center and Business Service Management  is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/45944

 

8) DotNetNuke Install Module Remote Code Execution Vulnerability

 

DotNetNuke is susceptible to a remote code execution vulnerability that an attacker can leverage to execute arbitrary code in context of the webserver process.  This could allow both the application and the underlying system to be compromised.   Updates which resolve this vulnerability are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/45940

 

9) Bugzilla Multiple Vulnerabilities

 

Bugzilla is susceptible to multiple vulnerabilities including Cross-Site Scripting ,Cross-Site Request Forgery, and a security bypass issue.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. Other security mechanisms are also able to be bypassed. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/45982

 

10) IBM WebSphere Portal and Workplace Web Content Management Information Disclosure Vulnerability

 

IBM WebSphere Portal and Workplace Web Content Management is susceptible to an information disclosure vulnerability. Successful exploitation would give an attacker unauthorized access to sensitive information. Information gained through these methods would likely lead to more damaging attacks. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45989

Cookie Stealing With Cross-Site Scripting Explained

HPXSS.png

 

One of the most common questions I receive when doing appsec consulting revolves around cross-site scripting. Specifically, I am asked constantly why it is that stealing a cookie via reflected cross-site scripting has so many steps. If the goal is to get a victim to run a malicious script that steals cookies, and the attacker has to send the victim a link anyway...why not just send them a link to a script and be done with it? Why waste time with all this reflection?

 

It's a good question, and the answer eludes many bright and experienced security professionals--including some who have had weeks of application security training. What I'll do here is lay out a quick set of conceptual steps that should make the mechanics of this attack completely transparent.

 

  1. Cookies Are Authentication. This is key to remember. Cookies are given to you by a server after you've proven that you are who you say you are. This is why you don't have to enter your password repeatedly when you load each page. So if someone gets that cookie you're using, they can become you. Naturally, if someone gets your cookie from bank.com or store.com, that's a problem.
  2. Evil.com Cannot Access the Cookies From Bank.com. This is part two of the equation. If a script running off of evil.com could pull the cookies from bank.com or store.com, then attackers could just send a cookie stealing script that runs on evil.com and get the cookies from every other site the victim has been to. 

    That is prevented by the same origin policy, which determines that you can only access cookies from the domain you're running your script from. So if you click a link that points you to evil.com that steals cookies, it can only steal the cookie given to you by evil.com--which is not likely to be very useful to the attacker. Remember, it's the bank.com cookie that is the target of the attack.
  3. So We Must Get the User to Run a Script Served by Bank.com. This is the key to the whole thing: In order to steal a target user's cookie from bank.com, an attacker has to get that user to run a script served by bank.com that steals their cookie. So how do we do that? That's where the cross-site scripting comes in.
  4. Reflected Cross-site Scripting Allows User-submitted Content to Bounce Back to the Browser. This is the part that more people understand: You submit script in a request to a server, and because it's not properly handled it gets sent back to the client in the response--at which point the browser runs it. So the attacker simply finds an area on bank.com that is vulnerable to this problem, and he builds his link to point there as the container for his cookie-stealing script.
  5. The User Bounces the Cookie-stealing Script off of Bank.com. This is the final step that usually gets glossed over in explanations. The user clicks the link that the attacker sent him, which points to bank.com (it must be safe if it's bank.com, right?), and then the cookie-stealing script comes back in the browser and steals the cookie for the current user, i.e. the victim.

The key here is that if the script didn't come from bank.com it wouldn't have been able to steal the user's cookie for bank.com, and that's the only purpose for the cross-site scripting--to get malicious script to "come from" a known good website. That's why the extra step is there: you can only access the cookie of a site you're visiting.

 

At any rate, I hope this helps someone, and and in a future post I'll be creating and posting some proof-of-concept content to help illustrate how it works in practice. ::

Tags: XSS

Data breaches aren't just cosmetic

Another day, another story about a data breach that revealed credit card information. This one affected the UK web presence of Lush Cosmetics. Details of the actual cause are still scarce, but I would bet the intrusion was a result of SQL Injection. Call it a hunch.

 

Lush Cosmetics handled the incident in several unique ways. First, instead of fixing the problem, they removed the site from production and  set up a simple alternate order site which relied on PayPal. If it wasn't so painful, I would call that a cosmetic solution.

 

Secondly, they posted a note that complimented the hacker for his skills but admonished him for his lack of character. Shame, shame, hacker! Not really sure what the intent was there...we got hacked, but we have our morals.  

 

Finally, they put up a video of happy Muppets to spread some cheer. Turn those frowns upside down, victims! I am not sure how well that played with customers who will have to monitor their credit for the foreseeable future, but personally I would have been less than amused.  

 

Sometimes it's good to have a plan for when things go wrong, all I'm saying.  Normal data breaches usually cause a decline in the value of a company's stock…not sure what impact Muppets will have.  

 

 

2011 New Year's Web App Security Resolutions

 

Well before the finalstrains of "Auld Lang Syne" stopped ringing in my ears, I was thinking about what the new year must hold for HP application security, especially for dynamic scanning. Given the previously-posted "Fearless Security Predictions for 2011", there are many resolutions to make as we aim to eliminate application security flaws and marginalize bad actors, and as I aim to improve our dynamic scanning solutions for our customers.

 

So here are my resolutions for 2011:

 

1) Improve WebInspect. Already the recognized industry leader, WebInspect will become even finer in terms of Web 2.0 coverage, increasing attack surface, usability, and finding previously-obscured classes of vulnerabilities, as we have recently done with cross-site request forgery. The good news is that we are starting from a better position than our less-visionary competitors; unlike many of them, we will be making incremental improvements on a solid foundation.

 

2) Actively seek out and listen to customers and partners. I will be on the phone and on the road talking to customers and other stakeholders to uncover areas where we can upgrade our solutions, what specific features they wish to see added to our,products, and to clarify our vision for the future.

 

If you wish to speak with me at any time about our products, please email me at adam.hils@hp.com. We can correspond via email or, preferably, schedule a meeting.

 

3) Deliver on the "Hybrid" promise. ""Hybrid" will mean much more than mere correlation of static and dynamic findings. HP Fortify  and HP ASC are working hard at creating mutually-reinforcing hybrid solutions that will deliver heretofore-unimaginably -good testing results across the application lifecycle.

 

4) Leverage vulnerability research and security assets from across HP. HP has unparalleled security researchers, including those in our own Web Security Research Group, HP Fortify's Security Research Group, and HP Tipping Point's DV Labs. We will continue to use these "smart bombs" to arm our products with the best application threat intelligence in the industry. In addition, our application security teams will seek strategic opportunities to field joint solutions with other HP enterprise security offerings.

 

5) Tell our story frequently. loudly, crisply and cleanly. Our thought leadership and security awesomeness will not remain a well-kept secret in 2011.

 

6) Lose weight. Sigh...This one I'm much less confident about....

 

 

 

 

Top Five Web Application Vulnerabilities 1/2/2011 - 1/16/2011

1) HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities

 

HP OpenView Network Node Manager is susceptible to multiple remote code execution vulnerabilities. Successful exploitation could give an attacker the means to execute arbitrary code with the privileges of the user running the application server. Failed attempts would likely result in a denial-of-service condition.  Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45762

 

2) Novell Identity Manager Cross-Site Scripting Vulnerability

 

Novell Identify Manager is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/45692

 

3) Symantec Web Gateway Management GUI SQL Injection Vulnerability

 

Symantec Web Gateway Management GUI is susceptible to a SQL Injection vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/45742

 

4) IBM Cognos 8 Business Intelligence 'pathinfo' Parameter Cross-Site Scripting Vulnerability

 

IBM Cognos 8 Business Intelligence is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available.  Contact the vendor for further information.

 

http://www.securityfocus.com/bid/45781

 

5) IBM Tivoli Access Manager for e-business Directory Traversal Vulnerability

 

IBM Tivoli Access Manager is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to view arbitrary files with the privileges of the web server process. Information gained through these methods would likely lead to more damaging attacks. Fixes which resolve this vulnerability have been released. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/45836

Still no national data breach disclosure standards

Yet another major data breach recently led to the disclosure of over 110,000 credit card numbers and cardholder information. What intrigued me about this report wasn't that developers still aren't writing secure code (shocker). And, it wasn't the nature of the intrusion. According to the Verizon 2010 Payment Card Industry Compliance report SQL Injection is accountable for 24% of all credit card data breaches. So, nothing new there.  At the current pace of exploitation, I fully expect SQL Injection vulnerabilities to be around for another ten years before parameterizing queries becomes a standard development practice.

 

But I digress. What really caught my eye was that out of 110,000 credit cards, only the New Hampshire Attorney General apparently received notification regarding the 300 or so that impacted the residents of his state. Why weren't all the breaches treated the same?

 

Because disclosure laws are a complete mess of competing state legislation. There's still no national overriding standard that defines how breaches of data will be handled and reported.  Some states even (what a surprise, Alabama) have no standard at all.


The House passed the Data Accountability and Trust Act in 2009, but similar bills introduced in the Senate in 2010 ultimately floundered and died. And with the expiration of the 111th congress, the House's version did the same. Hopefully the 112th will reexamine this issue.  It seems that this is an issue that would receive bipartisan support. The sticking point, of course, is the cost to businesses of failure to comply, etc. But asking small and medium sized enterprises to wade through 46 different sets of legislation has its own costs, too.  Congress got it's act together on Personal Health Information (PHI). It's time to do the same for all kinds of potentially harmful data.

 

Top Five Web Application Vulnerabilities 12/13/2010 - 1/2/2011

1) Symantec Endpoint Protection Reporting Module 'fw_charts.php' Remote Code Execution Vulnerability

 

Symantec Endpoint Protection (SEP) Reporting Module is susceptible to a remote code execution vulnerability. An attacker can leverage this vulnerability to execute arbitrary PHP code on the server to which the reporting module connects. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45372

 

2) IBM WebSphere Service Registry and Repository Authentication Bypass Vulnerability

 

IBM WebSphere Service Registry and Repository is susceptible to an authentication bypass vulnerability. Successful exploitation would give an attacker unauthorized access to the application. Updates which resolve this vulnerability are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/45585

 

3) IBM ENOVIA 'emxFramework.FilterParameterPattern' Cross-Site Scripting Vulnerability

 

IBM ENOVIA  is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this issue to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/45391

 

4) HP Insight Diagnostics Online Edition CVE-2010-4111 Cross-Site Scripting Vulnerability

 

HP Insight Diagnostics Online Edition is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these issues are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/45420

 

5) PHP NULL Character Security Bypass Vulnerability

 

PHP is susceptible to a security bypass vulnerability.  Successful exploitation would give an attacker access to sensitive information which could possibly lead to more damaging attacks. Updates which resolve this issue are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/44951

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.