HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: March 2011

How to Practice Your Web Application Testing Skills

glider.jpg

 

 

For those who are learning web application security testing (or just trying to stay sharp) it's often difficult to find quality websites to test one's skills. There are a few scattered around the Internet (see the link in the notes section below) but it would be nice to have a solid collection of test sites all in one place.

 

Aside from finding them all, another problem with most of these sites is that you can download them for free but they often require some fairly significant configuration. There should be a counter somewhere that shows how much time has been wasted trying to get Webgoat to run, for example.

 

There is a project that solves both of these problems simultaneously: The OWASP Broken Web Applications Project. It collects a ton of broken web apps into a single project and accomplishes a few major things:

 

  1. Aggregation: there are over a dozen broken apps--some on purpose and some old versions of real software.
  2. Preconfiguration: they all work the way they're supposed to--every time. 
  3. Virtualization: they run from a virtual machine so you simply run the VM and go.
The project includes the following apps (screenshot from the homescreen):
OWASPBWA.png

 

That is a ton of apps, and as I said, they actually work. You click the link as you see it above in the screenshot and you've landed on the start URL for your target. Fire up your browser, your proxy tool of choice, your favorite web scanners, etc. and you're on your way. It's projects like these that make me happy to contribute to OWASP every year.

 

Enjoy!

 

Notes
 

1 Be sure to run this VM in a secure environment to avoid introduction of vulnerability to a sensitive network. Running the VM in a NAT configuration is one option.

 2 I've also compiled a list on my own site that includes a collection of the web-facing vulnerable web apps provided by vendors, as well as a number of webappsec tools and suites.

Labels: OWASP| webappsec| websec

Top Ten Web Application Vulnerabilities 2/22/2011 - 3/13/2011

1) Alcatel-Lucent OmniPCX Enterprise Remote Stack Buffer Overflow Vulnerability

 

Alcatel-Lucent OmniPCX Enterprise is susceptible to a remote stack buffer overflow because the application fails to properly perform boundary checks on user-supplied data. Successful exploitation would give an attacker the means to execute arbitrary code in context of the application, with failed attempts likely creating denial-of-service conditions. Fixes which resolve this vulnerability have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/46640

 

2) Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability

 

Cisco Secure Desktop is susceptible to an arbitrary file download vulnerability that can give an attacker the means to download and save malicious files on the affected system, allowing for execution of arbitrary code in context of the current authenticated user.  A fix has not yet been released of this writing. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/46536

 

3) IBM WebSphere Application Server Multiple Security Vulnerabilities

 

IBM WebSphere Application Server versions prior to 7.0.0.15 is susceptible to multiple vulnerabilities including Cross-Site Scripting and security-bypass issues.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. The security bypass issues can be exploited to gain unauthorized access to sensitive information.  Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/46736

 

4) IBM Lotus Sametime Server 'stcenter.nsf' Cross-Site Scripting Vulnerability

 

IBM Lotus Sametime Server is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. As of this writing a fix has not yet been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/46481

 

5) HP Power Manager Unspecified Cross-Site Scripting Vulnerability

 

HP Power Manager is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited.  Updates which resolve this vulnerability are available. Contact the vender for further details.

 

http://www.securityfocus.com/bid/46830

 

6) Kodak InSite Multiple Cross-Site Scripting Vulnerabilities

 

Kodack  InSite is susceptible to multiple instances of Cross-Site Scripting. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks.  As of this writing a fix has not yet been released. Contact the vendor for additional information. 

 

http://www.securityfocus.com/bid/46762

 

7) Alcatel-Lucent OmniVista 4760 Network Management System 'lang' Directory Traversal Vulnerability

 

Alcatel-Lucent OmniVista 4760 Network Management System is susceptible to a directory traversal vulnerability. Successful exploitation will give an attacker the ability to retrieve files arbitrary files from the affected system, likely leading to more damaging attacks. Fixes which resolve this issue have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/46624

 

8) Red Hat Network Satellite Server Multiple Security Bypass Vulnerabilities

 

Red Hat Network Satellite Server is susceptible to multiple vulnerabilities including session fixation and brute-force password guessing attacks. Victims who are enticed into visiting a malicious URI can have their session hijacked and give an attacker unauthorized access to the application, while the brute-force password attack can be leveraged to gain unauthorized access. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/46528

 

9) WordPress cdnvote 'cdnvote-post.php' Multiple SQL Injection Vulnerabilities

 

WordPress is susceptible to multiple instances of SQL Injection. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. As of this writing a fix has not yet been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/46483

 

10) Joomla!  Multiple Security Vulnerabilities

 

Joomla! versions prior to 1.6.1 is susceptible to multiple vulnerabilities including SQL Injection, Cross-Site Scripting, URI redirection, Cross-Site Request Forgery, information disclosure, and denial-of-service attacks.  Successful exploitation could give an attacker the means to steal cookie-based authentication credentials, redirect users to malicious sites, steal potentially sensitive information, deny service to legitimate users, access or modify backend database content, or perform other unauthorized actions.  A patch which resolves these vulnerabilities has been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/46787

Bringing Sexy Back: The HP Application Security Center Support Portal

Shockingly, security product support does not scream “sexy”; in general, interacting with vendor Support is an unsexy productivity tax. You pay a standard percentage of your total license price to get put on hold for a maddeningly-long period, ask questions of a well-intentioned Tier 1 newbie, and listen to a canned answer, read from a monitor, that does not pertain to the nuances of your defect in your environment: In other words, Tier 1 support can bear little relation to your real world.

 

As your question is escalated to higher tiers, there’s a good chance you won’t get an answer soon enough for it to be relevant to your dynamic scanning project timeframe.

 

I can’t claim that HP Application Security Center is bringing sexy back, but we are revitalizing our ASC Support Forum , under the leadership HP ASC QA Manager of Jags Kandasamy. When Jags joined our pocket of HP six months ago, our Support site was rusty from disuse. Users rarely posted, and, when they did, their questions remained largely untouched.

 

In 2011, Jags and his team members have monitored the use of our support portal, and the greater ASC team has promoted the use of it for our customers. HP support is wonderful, but supplying multiple touch points – including an interactive monitored forum wherein expert users and technical vendor resources can answer questions dynamically and creatively - is alluring.

 

This year so far, there have been 26 posts from users for WebInspect alone (twice as many as in calendar Q4 2010, and we still have 3 weeks left in the first quarter 0f 2011); almost all of have been answered within hours. In some cases, non-HP users have provided good answers; in others, HP resources have found and provided answers, sometimes contacting the relevant customer directly to understand the particular issue in context.

 

For WebInspect, some of the topics addressed include CSRF detection, memory issues, reporting challenges, web services coverage, URL exclusion, configuring log-in macros, and Silverlight support, to name a few. We’ve helped an Asian federal government ministry official move an AMP instance to another server, finding in that process that the support license had lapsed. We solved the ministry’s portability problem, and helped get the license renewed. In another case, one of our QA engineers posted a helpful process for making QAInspect align with HP’s Application Lifecycle Management platform.

 

I urge ASC customers to visit the site, register, and gain access to the expertise of our community. If you have questions about the HP ASC support portal, please contact Jags at Jags.Kandasamy@hp.com.

 

Will Justin Timberlake include us in his next video? A blogger can dream....

Security spending up, but web application security spending down

A recent study revealed that while security spending in general has increased over the last year, the portion devoted to web application security has actually decreased. Considering that web application attack vectors are now the most popular for criminals to exploit, and that the frequency of web application attacks only continues to increase, that's stunning. It's not a problem of funding so much as one of prioritization and an understanding of risk. As Forrester put it, "Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices." In other words, organizations are spending their money on yesterday's problems, not tomorrow's solutions.

 

It's funny...10 years ago, when the damage of a successful web application attack was generally much less severe (ooh, we defaced your site), security companies used the fear of the worst possible consequence to sell their solutions. Those were still the days when the value of web application security had yet to be fully realized, so educating stakeholders was an important part of the process. It seems that has changed, at least...companies realize web application security is important now...it's just that they don't exactly don't know what to do about it. There's still a lot of confusion and misperceptions out there.

 

For one, the business model for cybercrime has changed dramatically. It's not about a one-time theft. It's about sustaining an undiscovered presence over as long a period of time as possible while stealing as much information as possible. It's estimated that 1% of all inputs in an application are vulnerable to some form of application vulnerability. Sometimes, one vulnerability gives an attacker the only foothold he needs to completely compromise an application.

 

A different study revealed that 51% of organizations listed compliance as an important factor in securing their web applications. However, another 43% did not recognize what OWASP is...it's hard to be PCI compliant, among others, without a knowledge of the OWASP Top 10 (a key compliance component). Another misperception organizations have is that their hosting provider will secure their web applications. Um, no. And the most telling...a full quarter of the respondents to this particular survey didn't know how many web applications they have. 20% of the respondents perform no application security testing  whatsoever, and another 40% only tested 5% of their applications.   

 

Seems what's needed now isn't selling the fear so much as selling some hard truths. Long story short, it's hard to secure what you don't even test, and even harder when you don't even know what applications you have. 

Search
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation