RE: eWeek OpenHack

["Johnson, Michael1 [IT]" <michael1.johnson () citigroup com>]

Having a default error page helps in that physical paths and exact error
messages are not returned this is a very good thing. The app is open source
so go look into the app and check it out. Also remember the only ports they
have open now is 80 and 443, to the web server. 53 on the dns server, 25 on
the mail server, i do not think the db server is accessible to the web. If
you compromise security on any one of the boxes you might be able to gain
access to another box but it will be difficult to leverage your attacks w/o
getting some sort of a shell. DOS is useless really... it wont gain you
access to the system. I would try to overload the boxes maybe running a
stress test on them, application act funny under large amounts on stress.

-MJ

-----Original Message-----
From: Martin Eiszner [mailto:martin () websec org]
Sent: Wednesday, October 23, 2002 2:54 AM
To: Mark Curphey
Cc: david.wong () foundstone com; webappsec () securityfocus com
Subject: Re: eWeek OpenHack



hi, 

On 22 Oct 2002 14:35:32 -0700
Mark Curphey <mark () curphey com> wrote:

> I guess it really is big biz now ! From speaking to people in the
> established consulting firms, many echo that 80% of their security

.. yes, thats very true. in our case its maybe more than 80%.
 
> On Sun, 2002-10-20 at 22:27, David Wong wrote:
> > eWeek is starting the 4th iteration openhack (http://www.openhack.com)
> > contest this week (http://www.eweek.com/category2/1,3960,600431,00.asp)
> > > >
> > Comments?

i did a couple of tests on their systems (IIS/.net and Oracle9i/Apache).
the webapps seem to be extremely tuff. 

i managed to produce errors .. but they have installed a default error-page
which is a very good/bad thing .. 

the only way in will be thru a webserver-bug .. maybe.


Mei

-- 
mei () websec org
http://www.websec.org
tel: 0043 699 121772 37