HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: April 2010

ASP.NET Cross-Site Scripting Followup: Mono

While doing the research that led to my recent post on ASP.NET view state as a vector for XSS, I discovered that while Microsoft's implementation is secure by default, Mono was not.

The default for a Page's EnableViewStateMac property is true in Microsoft's .NET Framework (despite what some documentation says). In Mono, this defaulted to false. In addition, there were certain problems with configuration which made it more difficult to mitigate this vulnerability:

In web.config, setting:

<system.web> <pages enableViewStateMac="true" />

did not enable view state signing. Neither did setting

<%@ Page EnableViewStateMac="true" %>

inside a page's .aspx file. While these two may be considered ordinary bugs and not directly a security problem, they made it much more difficult to work around the problem for existing installations.

Although Mono's view state format is somewhat different from Microsoft's, it was possible to port the exact same attack I used on Microsoft's ASP.NET to Mono by changing the data structure slightly and using Mono's serializer.

The following link will display a Javascript alert when running the XSP sample project on Mono 2.6.3: http://localhost:8080/2.0/menu/menu1.aspx?__VIEWSTATE=DAwNEAIAAA4BBQEOAQ0QAg8BAQlpbm5lcmh0bWwBJzxzY3JpcHQ%2BYWxlcnQoJ0FTUC5ORVQgWFNTIScpOzwvc2NyaXB0PhAAAAAOAAAA

Affected Versions

Mono 2.6.3 and older

Fixed Versions

Mono 2.6.4
Fixes for older branches should be committed soon

Other info


Top Five Web Application Vulnerabilities 4/12/10 - 4/25/10

1) Oracle E-Business Suite Financials 'jtfwcpnt.jsp' SQL Injection Vulnerability

Oracle E-Business Suite Financials is susceptible to a SQL Injection vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. As of this writing, a fix has not yet been released. Contact the vendor for additional information.


2) Apache OFBiz Multiple Cross-Site Scripting and HTML Injection Vulnerabilities

Apache OFBiz is susceptible to multiple Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for further details.


3) Apache ActiveMQ Source Code Information Disclosure Vulnerability

Apache ActiveMQ is susceptible to a remote vulnerability that can give an attacker access to its source code. Successful exploitation would give an attacker the means to retrieve arbitrary files from the vulnerable system in context of the webserver process. Information gained during the exploitation would likely aid in additional attacks. Updates which resolve this vulnerability are available. Contact the vendor for more information.


4) Adobe Acrobat and Reader CVE-2010-0190 Cross-Site Scripting Vulnerability

Acrobat and Reader are susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this vulnerability are available. Contact the vendor for additional details.


5) DotNetNuke System Message Information Disclosure Vulnerability

DotNetNuke is susceptible to an Information Disclosure vulnerability. An attacker could leverage this vulnerability to gain access to sensitive information which could likely be utilized in conducting more damaging attacks. Updates which resolve this issue are available. Contact the vendor for additional information.


Major breach of Electronic Health Records inevitable

By 2015, all healthcare facilities face a deadline set by the U.S. Department of Health and Human Services (HHS) to utilize Electronic Health Records (EHR's). So far, 'business' breaches have far outweighed that of personal health information. The sheer amount of medical information that will be available online, though, will create a plethora of new targets and opportunities for hackers that will quickly close that gap.


Application control will be key in securing this data. It won't do any good for data to be encrypted if the application on a doctor's laptop that reads it has already had its access rights compromised. Security for EHR's is also complicated by the fact that different vendors utilize different software and controls. On top of that, not all participants in the health care infrastructure are mandated to use EHR's at the same time.


There is incentive to adopt best security practices and get it right, though. There is a hefty increase in fines for EHR breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Fines can now go as high as $1.5 million per year.


One thing we know is that hackers are focused, and that they understand psychology. In the coming years, expect a rash (no pun intended) of social engineering attacks designed to gain access to EHR's, as well as an increasing number of 'traditional' methods of attack all designed to steal personal health information. Because of the numbers, a major breach is at some point inevitable. How do consumers protect themselves? Unlike financial information, which can ultimately (if painfully) be cleared, a breach of personal health information can be irrevocable. Adopters of EHR's will hopefully keep that in mind.



Top Five Web Application Vulnerabilities 3/29/2010 - 4/11/2010

1) IBM WebSphere Application Server Administration Console Cross-Site Scripting Vulnerability


IBM WebSphere Application Server is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this vulnerability have been released. Contact the vendor for additional information.




2) Apache ActiveMQ 'createDestination.action' HTML Injection Vulnerability


Apache ActiveMQ is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve this vulnerability are available. Contact the vendor for further details.




3) HP SOA Registry Foundation Unspecified Cross-Site Scripting Vulnerability
HP SOA Registry Foundation is susceptible to a Cross-Site Scripting vulnerability.  Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more information.



4) VMware WebAccess Multiple Cross-Site Scripting Vulnerabilities


VMware WebAccess is susceptible to multiple Cross-Site Scripting vulnerabilities. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. As of this writing, a fix has not been released for the JSON Cross-site Scripting vulnerability, while updates which address the Virtual Machine Name issue have been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/39105  (JSON)
http://www.securityfocus.com/bid/39104 (Virtual Machine Name)


5) VMware WebAccess '/ui/vmDirect.do' Information Disclosure Vulnerability


VMware WebAccess is susceptible to an Information Disclosure vulnerability. An attacker can leverage this vulnerability to redirect legitimate users to a malicious server, thereby gaining access to sensitive information. Updates which resolve this issue are available. Contact the vendor for additional information.



Top 3 Reasons you need Hybrid Analysis

When trying to assess an application for security, the more you learn, the better you can test. That's one reason combining Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) into a hybrid analysis approach can yield better results than using either method individually. It's somewhat of a 'two heads are better than one' approach.  Here are some of the main reasons why using Hybrid Analysis 2.0 is better than either DAST or SAST alone.


More complete Testing:


The first version of hybrid analysis only aggregated DAST and SAST vulnerabilities and occasionally grouped vulnerabilities discovered by both methodologies. While useful for validation, it did not dramatically improve scanning results (which, to be fair, wasn’t its intent). The primary challenge with using DAST & SAST together has always been how to effectively connect the observed behavior of a web application under test into details about why the application behaved a particular way. By unlocking this connection, organizations can focus on the issues that are most critical to their operation, making developers more productive by revealing the root cause within their code. Hybrid Analysis 2.0 represents a significant leap forward in this area. It's a truer integration of DAST & SAST and not simply a method of post-analysis/scan incidental correlation. Instead, results are constantly re-examined so that active correlation during scans can directly link together more vulnerabilities. Put simply, vulnerabilities discovered in web applications can be traced to the actual source of the vulnerability. SAST provides prioritized attack surfaces to direct DAST testing.  And by identifying all points of input to an application, and then tracing that data step-by-step through the application, organizations get a much truer understanding of their security risks and exposure.


Better prioritization of findings:


Hybrid Analysis 2.0 utilizes proximity correlation to re-prioritize the riskiest issues. Applying this technology results in dramatic improvement in the number of correlated results – thus providing both the "proof" of a successful attack and the code-level vulnerability details necessary to fix the problem.  Ultimately, better prioritization of risks lets the most critical vulnerabilities - those that are the most exploitable and damaging - be addressed first.


Reduces the time and cost to fix vulnerabilities in the code:


According to the National Institute of Standards and Technology (NIST), it is 6.5 times more expensive to fix a flaw in development than during design, 15 times more in testing, and 100 times more in development. With Hybrid Analysis 2.0, organizations can quickly locate their most critical application vulnerabilities and fix them before their products are released. And, ultimately, reducing expense in both time and money is what it's all about.


For more information on Hybrid Analysis 2.0, visit http://www.hp.com/go/hybridanalysis.



Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.