Hack Smackdown

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,633769,00.asp

By Timothy Dyck 
October 14, 2002 
timothy_dyck () ziffdavis com

With OpenHack 4, eWeek Labs and a group of technology providers are
again entering the security ring to test enterprise systems' fortitude
under real-world conditions.

Each of the past three OpenHack tests was a challenge to hackers to
take down an e-business Web site built, secured and monitored using
common enterprise applications - and a unique opportunity to test
these applications in the process (see story [1]). With the OpenHack 4
test site, we're focusing on an area that's becoming increasingly
problem-prone: application security.

Indeed, previously unknown security holes in Web application code
provided unauthorized entry past firewalls and led to the successful
attacks against the OpenHack 1 and OpenHack 2 sites. Web application
programming techniques, therefore, come under close scrutiny in
OpenHack 4. (OpenHack 3, protected by a trusted operating system, was
not successfully hacked.)

Although every Web application is different, the basic techniques for
securing them are the same: Input query string and HTTP form post
parameters must be validated; code that generates HTML must guard
against cross-site scripting attacks; code that accesses a database
needs to prevent SQL injection attacks; and the database itself needs
to be hardened against the applications (and their potential
vulnerabilities) accessing it.

However, making sure that all this happens with every variable, page
and parameter in an application is challenging, to say the least.  
OpenHack 4 is intended not only as a test of development techniques
and applications themselves but also as a demonstration of how to
program defensively and how to provide multiple interlocking layers of
security.

In building the OpenHack site, we provided two major systems software
vendors 'Microsoft Corp. and Oracle Corp.' with a Web-based production
application developed by eWeek Labs. We asked each vendor to recode
the application using the security practices recommended for their
platforms.

Microsoft and Oracle deployed and secured the applications on their
choice of hardware, operating system, application server and database.  
Each company was responsible for the security configuration of its
servers.

Microsoft implemented its application using .Net Framework, Internet
Information Services 5.0 and SQL Server 2000, all running on Windows
2000 Advanced Server. Oracle developed its application using Oracle9i
Application Server Release 2 and Oracle9i Database Release 2, both
running on Red Hat Inc.'s Red Hat Linux Advanced Server 2.1.

eWeek built and secured the rest of the site.

Both the Microsoft and Oracle applications are up now at
www.openhack.com, and we invite crackers from around the world to
prove their "l33t skillz" (elite programming skills in hacker-speak)  
for the fun, challenge, public recognition and prize money. These
prizes will be awarded for the successful completion of any of five
separate penetration tasks. These represent successively more serious
breaches of security: a cross-site scripting attack, a dynamic Web
page source code disclosure, a Web page defacement, a SQL injection
attack and theft of credit card data from the database.  
Denial-of-service attacks don't count and won't be credited.

We feel confident, based on the coding and hardening that's been done,
that none of these attacks is possible, and we hope this test will
improve our current OpenHack record of one win and two losses.

However, the first person to prove to eWeek Labs that he or she has
succeeded at any crack wins for that category of attack. Only one
prize will be awarded for each successful attack, and no hacks other
than the ones described will merit prize money. We will acknowledge
any interesting cracks, though, and their potential danger to
enterprise security.

To receive prize money, successful attackers must document cracking
methodology and any security holes found.

eWeek Labs, working with Oracle and Microsoft staffs, will fix
security problems as we find them ourselves or learn about them from
attackers.

A major goal of OpenHack is to provide eWeek readers with information
that will help them keep their sites more secure. Full details of the
OpenHack site configuration and test updates will be available at
www.openhack.com and www.eweek.com/openhack. (Based on past
experience, the OpenHack site will be under heavy load for the first
few days of the test, so the eWeek site will provide a second
communication channel). After completion of the test, source code will
also be made available.

Those developing dynamic Web applications on either Microsoft or
Oracle software will be able to cross-check our setup against their
own configurations. The security techniques used are also general
enough that they will apply to any organization developing Web
applications that access database content. The Microsoft test
application can be directly accessed at
https://www.ms.openhack.com/default.aspx

the Oracle test application can be directly accessed at
https://www.oracle.openhack.com/openhack/index.jsp.

As the test proceeds, we'll be watching the logs and intrusion
detection reports the way an owl watches for mice (or perhaps, given
the attacks we might get, the way mice watch for owls).

Are you ready to rumble? Let the hacking begin!

[1] http://www.eweek.com/article2/0,3959,600435,00.asp



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.