HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: March 2010

Configuration is Half the Battle: ASP.NET and Cross-Site Scripting

Although it's not a new problem, a recent advisory and BlackHat presentation have brought attention to an ASP.NET mis-configuration that can leave you wide open to Cross-Site Scripting (XSS) attacks, even if you are diligently sanitizing your other user-supplied data. If the view state is not cryptographically signed, it is possible for an attacker to overwrite properties of any of your server-side controls and modify HTML returned to the user, opening a vector for XSS.


On the Attack


An early example from the 2004 article “Understanding ASP.NET View State” does not really explain the full scope of the problem:


“Nefarious users could parse the view state, modify the prices so they all read $0.01, and then deserialize the view state back to a base-64 encoded string. They could then send out e-mail messages or post links that, when clicked, submitted a form that sent the user to your product listing page, passing along the altered view state in the HTTP POST headers. Your page would read the view state and display the DataGrid data based on this view state. The end result? You'd have a lot of customers thinking they were going to be able to buy your products for only a penny!”


The potential for damage is much worse than that, and the attack is even easier to carry out.



  1. It’s not necessary to fully parse the view state. Without the signature, the only protection the view state has left is the page hash, which always occurs at the same location and can be extracted by just Base64-decoding the right bytes.

  2. As an extension of #1, it’s not necessary to modify properties that are already being put in the view state. The view state parser does not expect any particular properties to be set (or not set), so you can modify nearly anything you want.

  3. The actual attack can, of course, consist of a malicious script and not just modified text.

  4. It’s not necessary to POST the view state data. In fact, the postback event validation makes it even more difficult. Simply encoding the view state data in a GET parameter named __VIEWSTATE will allow you to provide a malicious link to be clicked, not require a user to post a form.


The attacks I created for WebInspect were based on two more discoveries:



  1. Nearly every ASP.NET control is vulnerable (especially ASP.NET 2.0)

  2. A vulnerable control will almost always appear at index 1


The first point comes from the fact that most ASP.NET controls inherit from HtmlContainerControl, which has an InnerHtml property. The results of modifying InnerHtml should be obvious. While ASP.NET 1.1 would throw an exception if you tried to set that property on another type of control, it seems that most ASP.NET 2.0 controls will just set it as an attribute after performing a weak HTML-encoding. This allows for an easy attribute-based XSS attack, even if you can’t set the inner HTML of the control, leaving nearly all classes of controls vulnerable. Actually finding a control to attack brings me to point #2: how the control indexes work. On the ‘base’ page state, the list of control indexes corresponds to the order that they appear on the page. All text that is not part of a server-side control gets placed in a LiteralControl. This does not take open/closing tags into consideration, which is why most controls will first appear at index 1; index 0 will contain a LiteralControl for all text in the page (doctype, open tag, etc) leading up to it. The full list of controls, in general, alternates LiteralControls and subclasses of HtmlControl.


Detecting a Vulnerable ASP.NET Site


One of the biggest problems with this attack is how easy it is to detect a vulnerable site. In most cases, the actual exploit is also rather easy. WebInspect has been detecting an unsigned ASP.NET 1.1 view state since 2005, by just checking the last 2 bytes of the view state. A signed ASP.NET view state will end in 20 bytes of garbage, but an unsigned view state will end in “;>” or “>>”, due to the serialization format. We might get a false positive every 32k pages or so, but overall it’s a pretty effective test. In ASP.NET 2.0, the format changed to a binary serialization which requires reading the entire view state to determine if there is any extra data at the end (no more “<” and “>” tokens). It’s much slower, but still only a few lines of code when you use the ObjectStateFormatter available to you.


When doing my research for this vulnerability, I did a quick survey of 336 random sites running ASP.NET. Of those sites, I found 30 (9%) with unsigned view states. That may not sound like a lot compared to the number of total sites with XSS vulnerabilities (some estimates say at least half, others two-thirds). However, finding most XSS vulnerabilities usually requires checking hundreds of inputs with different kinds of validation. Finding a site with an unsigned view state is fast, simple and passive.


Of course, having an unsigned view state is not a guarantee of being exploitable. Some of those sites had a very minimal view state, which likely means that view state was disabled for the page (ASP.NET will still insert a “stub” view state). If your view state is disabled, disabling signing could be a legitimate performance improvement. If you are not disabling view state, but disabling signing, you’re almost certainly vulnerable.


Protect Yourself!


Protecting yourself is quite simple: don’t disable view state signing! It can be turned off in your web.config, a page’s .aspx file, or code-behind class. A full text search for “EnableViewStateMac“ should be all you need to check your own code. If you’re not changing it anywhere, you’re secure by default. WebInspect users can Smart Update to the latest SecureBase to get updated checks. We can detect an unsigned view state for ASP.NET 1.1 and 2.0 (and later; 3.5 still uses the same view state format), and attempt to attack both of them as well.


While you’re at it, there are a few other settings you may wish to review. If you are putting any sensitive information in the view state, it can be easily decoded and read by a 3rd party. You can set ViewStateEncryptionMode="Always" in your web.config or in individual pages. Since the signing key is always the same, it could be possible to construct a malicious, but valid, view state and then give the link to someone else, creating a Cross-Site Request Forgery attack (CSRF). This would be more difficult to execute than the XSS attack, but it’s just as easy to prevent. Set the ViewStateUserKey property in your page to a user-specific value, like the session ID. This adds a salt when signing, so that two users with the same view state data will have different signatures. If it were me, I would have all 3 options enabled, (salting, signing and encrypting), but everyone should evaluate the needs of their own applications.

Top Five Web Application Vulnerabilities 3/15/10 - 3/28/10

1) IBM Lotus Notes 'names.nsf' Cross-Site Scripting Vulnerability


IBM Lotus Notes is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. As of this writing, a fix for this issue has not been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/38880


2) IBM Lotus Notes 'names.nsf' Open Redirection Vulnerability


IBM Lotus Notes is susceptible to an Open Redirection vulnerability. Successful exploitation would aid in phishing and possibly other attacks. As of this writing, a fix for this issue has not been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/38852


3) Novell eDirectory DHost Weak Session-Cookie Session Hijacking Vulnerability


Novell eDirectory is susceptible to a weak session-cookie Session Hijacking vulnerability. Successful exploitation would give an attacker unauthorized access to the affected application. As of this writing, a fix for this issue has not been released. Contact the vendor for further information.


http://www.securityfocus.com/bid/38782


4) HP Project and Portfolio Management Center Unspecified Cross-Site Scripting Vulnerabilities


HP Project and Portfolio Management Center (PPMC) is susceptible to multiple Cross-Site Scripting vulnerabilities. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve these issues are available. Contact the vendor for more details.


http://www.securityfocus.com/bid/38961


5) IBM WEBi Multiple Unspecified Cross-Site Scripting Vulnerabilities


IBM WEBi is susceptible to multiple Cross-Site Scripting vulnerabilities. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these issues have been released. Contact the vendor for additional details.


http://www.securityfocus.com/bid/39011

Top Five Web Application Vulnerabilities 3/1/1/10 - 3/14/10

1) HP Performance Insight Remote Command Execution Vulnerability


HP Performance Insight is susceptible to a remote code execution vulnerability. Remote attackers can execute arbitrary commands via vectors involving upload of a JSP document. A fix which resolves this issue has been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/38611


2) eGroupware Cross-Site Scripting and Remote Command Execution Vulnerabilities


eGroupware is susceptible to a Cross-Site Scripting and a Remote Command Execution vulnerability. The remote command execution vulnerability can be exploited via an HTTP request, and can allow an attacker to execute arbitrary shell commands in context of the webserver process. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities have been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/38609


3) Oracle Siebel 'loyalty_enu/start.swe' Cross-Site Scripting Vulnerability


Oracle Siebel is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. As of this writing, a fix has not yet been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/38456


4) IBM Lotus Domino 'readme.nsf' Cross-Site Scripting Vulnerability


IBM Lotus Domino is susceptible to a Cross-Site Scripting vulnerability. Theft of cookie-based authentication credentials is one of the main risks associated with a Cross-Site Scripting attack. Updates which resolve this issue have been released. Contact the vendor for additional details.


http://www.securityfocus.com/bid/38481


5) IBM ENOVIA SmarTeam 'LoginPage.aspx' Cross-Site Scripting Vulnerability


IBM ENOVIA SmarTeam is susceptible to a Cross-Site Scripting vulnerability. This can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. As of this writing, a fix has not yet been released. Contact the vendor for more information.


http://www.securityfocus.com/bid/38612

HP and Fortify Advance Vulnerability Testing with Hybrid 2.0

HP and Fortify Colloborate on Static Analysis (SAST) & Dynamic Analysis (DAST)


HP and Fortify Software recently announced a joint collaboration that will help customers more efficiently manage and reduce critical security vulnerabilities across the entire application life cycle. Fortify 360's Static Application Security Testing (SAST) technology will be integrated with HP Application Security Center and HP Quality Center software solutions to give enterprise users increased visibility into application security across development, quality assurance and security operations.


These two assessment techniques, static/source code analysis and dynamic/runtime analysis, have come to dominate the application development and testing worlds. Each technique has different strengths and the ability to identify vulnerabilities that the other cannot. While source code analysis is capable of finding insecure programming practices that have potentially rendered the code vulnerable to malicious attacks, it can be limited by the types of languages that have been utilized in crafting the application and can only find potential vulnerabilities rather than actionable results. While dynamic analysis is beneficial because it eliminates language dependency and the need for parsing the source or binary code into an analyzable form, it can also be limited by the fact that it does not have access to the source code, and if unable to "guess" where some pages or files are located, can provide a false sense of security by producing numerous “false negatives”.


Hybrid Analysis


The combination hybrid analysis approach of Hybrid 2.0 will provide a new level of insight into the strengths and weaknesses of an application that can be used to rapidly zero in on “readily exploitable” vulnerabilities. This hybrid analysis approach can provide broad code coverage, identify all points of input to an application, track data as it moves through an application, and then validate the vulnerabilities it does find, ultimately resulting in more accurate results.


For more information, visit http://www.hp.com/go/hybridanalysis.


You can also register to download the Hybrid 2.0: The Next Generation of Integrate Static and Dynamic Security Analysis white paper here.


Finally, to read the press release, visit
http://www.prnewswire.com/news-releases/fortify-software-debuts-next-generation-web-application-hybrid-security-analysis-with-hp-84945867.html

Top Five Web Application Vulnerabilities 2/15/10 - 2/28/10

1) Multiple IBM Products Login Page Cross-Site Scripting Vulnerability


Multiple IBM products are vulnerable to a Cross-Site Scripting vulnerability via the login page. Vulnerable products include multiple releases of IBM Websphere Portal, IBM Lotus Web Content Management, and IBM Lotus Quickr. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.


http://www.securityfocus.com/bid/38412


2) Cisco Management Center for Cisco Security Agents SQL Injection Vulnerability


Cisco Management Center for Cisco Security Agents is susceptible to a SQL Injection vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Updates which resolve this issue are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/38272


3) Hitachi Multiple Products Unspecified Cross-Site Scripting Vulnerability


Multiple Hitachi products are vulnerable to a Cross-Site Scripting vulnerability. Vulnerable products include multiple releases of Hitachi uCosminexus, Hitachi Groupmax Collaboration, and Hitachi Electronic Form Workflow. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which address these issues have been released. Contact the vendor for more information.


http://www.securityfocus.com/bid/38429


4) Symantec IM Manager Console HTML Injection Vulnerability


Symantec IM Manager is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve this issue have been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/38241


5) Cisco Security Agent Management Center Directory Traversal Vulnerability


Cisco Security Agent is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to download arbitrary files from the server hosting the Management Center. An update which resolves this issue has been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/38271

7 Deadly Threats to Cloud Security

In a recent ComputerWorld news article about HP’s new Singapore research facility for the development of a software platform for delivering cloud-based computing services, Dan Olds lauded HP's focus on security. Olds, an industry analyst with Gabriel Consulting Group, said security "is probably the biggest hurdle to cloud adoption in the enterprise today."


I couldn’t agree more. As a member of the of the Cloud Security Alliance, HP has participated in and sponsored the development of a new research paper on the Top Threats to Cloud Computing. This CSA white paper is intended to help companies make prudent risk management decisions regarding cloud computing adoption.


In the research, we're not saying forget the cloud. Computing as a utility is a good thing. The cloud will help enterprises reduce capital expenditures and lessen day-to-day infrastructure management. But there are many security issues that need to be addressed to keep your applications and data safe in the cloud. You need to deploy cloud computing wisely—and this new white paper will help you identify the greatest threats.


Today HP and CSA released news announcements regarding the research. Under CSA guidance, 29 information security experts from business, solutions providers and consulting firms with cloud computing experience and expertise were surveyed on what they feel are the greatest current security threats within the cloud. I urge you to read the Press Release for all the details. Or, you can watch this new video from HP and CSA on the top cloud security threats. The full research report will be available soon.  Stay tuned for the announcement on availability.


Finally, HP is hosting an exclusive executive luncheon featuring an expert Cloud Security Panel discussion. The panelists will be discussing the research related. today. If you are interested in attending the luncheon, please stop by HP's booth at RSA and ask for Ron Carelli or Kim Dinerman.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.