HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: July 2010

Top Five Web Application Vulnerabilities 7/7/10 - 7/18/10

1) Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability

 

Microsoft Exchange Server Outlook Web Access is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains. As of this writing a specific patch has not yet been verified as a fix. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/41462

 

2) HP Insight Control Server Migration Unspecified Cross-Site Request Forgery Vulnerability

 

HP Insight Control Server is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site request forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. Updates which resolve this vulnerability are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/41581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1971

 

3) Novell GroupWise Agents HTTP Interfaces Multiple Cross-Site Scripting Vulnerabilities

 

Novell GroupWise is susceptible to multiple Cross-Site Scripting vulnerabilities. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/41706

 

4) Oracle WebLogic Server Encoded URL Remote Vulnerability

 

Oracle WebLogic Server is susceptible to a remote Encoded URL vulnerability. Successful exploitation would give an attacker the means to inject malicious headers which would then be regarded as trusted. Updates which resolve this vulnerability have been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/41620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2375

 

5) Novell GroupWise WebAccess Authentication Information Disclosure Vulnerability

 

Novell GroupWise WebAccess is susceptible to an Information Disclosure vulnerability. Successful exploitation would give an attacker unauthorized access to sensitive information. Information gained through these methods would likely lead to more damaging attacks. Fixes which resolve this vulnerability have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/41713

Tag Injection vs. Cross-Site Scripting

As my last post pointed out, it is not necessary to actually modify the HTML on a page to cause Cross-Site Scripting. If the attack is reflected directly into JavaScript or a style tag/attribute, you can have Cross-Site Scripting through  JavaScript injection or CSS injection, without any extra HTML necessary.

XSS attack examples are usually given like

 

 

<script>bad stuff here</script>

 

 

Or

 

 

<img src=x onerror=”bad stuff!”>

 

 

…but what if the bad stuff isn’t actually script? If you blacklist <script> tags and event attributes, you may prevent a textbook XSS attack, but that doesn’t mean you’re safe. An attack that injects an <iframe> tag could be used for clickjacking, where a user could click on a hidden link or button (in the invisible iframe) when trying to click on a visible link or button “below” the hidden frame. Something as seemingly safe as an <img src=”/relative/path”> tag could be used for a Cross-Site Request Forgery attack, if the site is vulnerable (in which case, you should probably fix your CSRF vulnerability!).

 

A common reason why someone might want to use a blacklist to filter out XSS attacks but allow other HTML tags is to allow simple tags such as <b>, <i>, and <u> for formatting. If that’s the case, a safer approach may be to use a language specifically designed for this case, like some variation of BBCode. While such languages have occasionally had XSS problems, it’s generally safer to only allow a specific set of formatting options (whitelist) than to only try to filter out “dangerous” looking tags (blacklist). If possible, don’t allow embedding images directly through an [img] tag, unless you can restrict it to a specific directory or image library.

 

It’s important to understand the distinction between HTML Tag Injection and Cross-Site Scripting, as either one can exist without the other, and still cause grief. Guarding against both is important to keeping your site secure.

 

Users of WebInspect should note that WebInspect will send HTML Tag Injection attacks only after all Cross-Site Scripting attacks have failed. If you see HTML Tag Injection (check ID 10044) in your scan results, it means we were not able to execute script to verify an XSS attack, but were still able to modify the HTML. Don’t take this lightly just because it shows up as a “medium”! While it’s not as serious on its own, it could still lead to an attack if not dealt with.

Top Five Web Application Vulnerabilities 6/21/2010 - 7/05/2010

1) IBM WebSphere Application Server Cross-Site Scripting Vulnerability

 

IBM WebSphere Application Server (WAS) is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Fixes which resolves this vulnerability have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/41149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0779

 

2) IBM WebSphere ILOG JRules Cross-Site Scripting Vulnerability

 

IBM WebSphere ILOG JRules is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/41030

 

3) Apache Axis2 '/axis2/axis2-admin' Session Fixation Vulnerability

 

Apache Axis2 is susceptible to a Session Fixation vulnerability. Victims who are enticed into visiting a malicious URI can have their session hijacked and give an attacker unauthorized access to the application. As of this writing a fix has not been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/41076

 

4) Novell Identity Manager Roles Based Provisioning Multiple Cross-Site Scripting Vulnerabilities

 

Novell Identity Manager Roles Based Provisioning Module is susceptible to multiple Cross-Site Scripting vulnerabilities. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve these vulnerabilities are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/41337

 

5) Trend Micro InterScan Web Security Virtual Appliance Multiple Vulnerabilities

 

Trend Micro InterScan Web Security Virtual Appliance is vulnerable to multiple vulnerabilities including HMTL Injection and Cross-Site Request Forgery. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains.  Updates which resolve these vulnerabilities are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/41296
http://www.securityfocus.com/bid/41039

Are you a security superstar?

The HP Web Security Research Group is actively seeking fresh brains (in bodies) to work on our cutting edge web application assessment technology. Have you used HTTP methods in casual conversation, or thought about exploiting an XSS attack in a social network to make Angelina Jolie your friend? Then it’s a match made in heaven (but assembled in Atlanta). We want somebody interested in discovering vulnerabilities in RIA like Silverlight and Flash, and who wants to tackle intriguing issues like JavaScript static analysis. We need an individual interested in finding the best methods for automating detection of issues like XSRF, persistent XSS, and URL rewriting. We're working on these challenges and even more, all in a fun and fast-paced environment. If you and your brain are interested, contact gabriel.braslavsky@hp.com for more information.

 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation