WebApp Sec mailing list archives
RE: eWeek OpenHack
From: "Johnson, Michael1 [IT]" <michael1.johnson () citigroup com>
Date: Wed, 23 Oct 2002 12:44:49 -0400
Having a default error page helps in that physical paths and exact error messages are not returned this is a very good thing. The app is open source so go look into the app and check it out. Also remember the only ports they have open now is 80 and 443, to the web server. 53 on the dns server, 25 on the mail server, i do not think the db server is accessible to the web. If you compromise security on any one of the boxes you might be able to gain access to another box but it will be difficult to leverage your attacks w/o getting some sort of a shell. DOS is useless really... it wont gain you access to the system. I would try to overload the boxes maybe running a stress test on them, application act funny under large amounts on stress. -MJ -----Original Message----- From: Martin Eiszner [mailto:martin () websec org] Sent: Wednesday, October 23, 2002 2:54 AM To: Mark Curphey Cc: david.wong () foundstone com; webappsec () securityfocus com Subject: Re: eWeek OpenHack hi, On 22 Oct 2002 14:35:32 -0700 Mark Curphey <mark () curphey com> wrote:
I guess it really is big biz now ! From speaking to people in the established consulting firms, many echo that 80% of their security
.. yes, thats very true. in our case its maybe more than 80%.
On Sun, 2002-10-20 at 22:27, David Wong wrote:eWeek is starting the 4th iteration openhack (http://www.openhack.com) contest this week (http://www.eweek.com/category2/1,3960,600431,00.asp)Comments?
i did a couple of tests on their systems (IIS/.net and Oracle9i/Apache). the webapps seem to be extremely tuff. i managed to produce errors .. but they have installed a default error-page which is a very good/bad thing .. the only way in will be thru a webserver-bug .. maybe. Mei -- mei () websec org http://www.websec.org tel: 0043 699 121772 37
Current thread:
- RE: eWeek OpenHack Johnson, Michael1 [IT] (Oct 23)