|
|
|
OpenHack Wrap
By: Timothy Dyck
2002-12-02
Article Rating: / 1
There are 0 user comments on this Application Development story.
OpenHack Wrap (
Page 1 of 3 ) Little things mean everything in the realm of application-level security.eWEEK Labs fourth OpenHack online security test provided a number of lessons on how to protect corporate data. It also offered further proof that when it comes to security, the devil truly is in the details.
OpenHack is an interactive security evaluation, where a heterogeneous deployment of corporate IT products is evaluated for its ability to withstand the rigors of the Web. Whereas past OpenHack tests have focused on firewalls, IDSes (intrusion detection systems) and trusted operating systems, OpenHack 4 focused on Web application security.
At the heart of this years test, which started Oct. 22 and ended Nov. 8, was a Web application we use in production here at the Labs. We asked Microsoft Corp. and Oracle Corp. to harden the application and then deploy it on their choice of operating system, Web server, application server and database platforms. The hardened applications and the servers upon which they ran were hosted online at www.openhack. com, and a challenge was issued to aspiring hackers the world over to try to complete any of five hacking challenges.
What happened during the course of the test drives home the importance of code review (and review and review again) and a multilayered defense strategy. We also saw clearly the benefit of structured Web programming frameworks that automate some of the work required to write secure code (click here to see how the site fared).
Indeed, its the little things that really matter in security: Each of the two successful cross-site scripting attacks was made possible by a single mistake on a single line of code in the test application.
Its important to reiterate that the OpenHack application is specific to eWEEK and to this test. We discovered no security problems (or any significant operational problems) in any of the other components tested, including Microsofts and Oracles respective Web servers, application servers and databases; in the host Windows 2000 Advanced Server and Red Hat Inc. Red Hat Linux Advanced Server 2.1 operating systems; or in the OpenBSD firewalls or Extreme Networks Inc.s switches we used.
Security Challenges
During the 18 days the test was open, only one of the five security challenges we posed was successfully accomplished.
On the very first day of the test, Jeremy Poteet, chief technology officer at IT consultancy Technology Partners Inc., in Chesterfield, Mo., discovered two places in the Oracle OpenHack test application where he could manipulate the application into sending arbitrary (and possibly malicious) JavaScript code back to a user.
Poteet describes how a functionality bug in the application tipped him off to a possible weakness in the code that he was later able to exploit. He was also able to perform a second cross-site scripting attack by manipulating a URL field to take advantage of the way the application checked unusual data types.
In both cases, Poteet was able to discover exactly where several undiscovered bugs lay in the application simply by careful observation combined with his own experience. He was also able to do this without access to source code—one more reminder that keeping source code secret is very thin protection at best.
|
|
�������x}r8s;�iW1ŋvI�%5e[�KeOul m䐔/;?q^NO7n&�t%_=g�eK�@&2�D"��?I�9uiOș3[ΜGoMz�IjÇ@�B9
(ɑ㍨W)9bP]�HwW�eNzΠv@\��}@^cϣD��d�>J�`OS;S
�)5'Ӡ5> =+3}B}�F�6�\�3�Ѣm3&��I�[����(CJ�Ž?�K�E!{O|2G�$oqX}_�V�:AÙML}!*{�'E%�k4ً�qG/w�>ȀYǝ�F�
{.Q^Lߵ}2��hj9:TN`Uƞfn�ڭaㅰ��A=c�9p<�
G�,gw'9"�ScO�$ա�U�NIp'0�:(��G^C]ñ���\./RF͌iAwtԭ=S��zcGGg�ԏPL0H���=~0[� QM%$�7
�.lq_-%0/`=2}h���:a;6]�Uh?AWuomzV�u�7�ϙۣ}2w p%X䄍ER����O)�|@�iD
�ӱCԣz�/(?r0�im�ȆusRM*AR,הbUrww3s[=7q*sܼ~1ONiR;wN.r$�(�p
mKIu]+h5�e=US�^��D߀*�0QI-�Y|/�Z@
�E�4fEU�2a}oy}yqI}trxi�#|g9̠V*�PFfЊ%+��4Zu\�9;u�w/I}9j�8sِF`Bm�iumUZv�`Ck'ޮCEnXCy�Cm0MߑRMRs"3�\4.>�vHN,-)�0o-YnH.)M|T|Y|ěQ0ʱn>�@|sDmȌS�Hu��t9�~}E'Zf-M>¿� G/<@'D97o#f�M�s,e��g{0A�M)��61tF�)6B̄H )&wR�'�,)|YB* b�r�ݠPP3>ΧKdoF"���Q"ȅ�Q.%
���Ć�> z%Ku}7�pW��ǰfeٜ҅%]WaNFޢG��\z�cO�feEz�^�?{6LqJ�j�p�X.B2iKB0NqjꛛZ\MG_)Ab�/*5U9=|�Qn�2e8l�2>c}n�yw���AgE�|FG|V�궝x�>:AGA�ticŦwh4N@7&�h`C:}ҍ:L��
w|h��x:� C�a`ΨsZ
LP#AтMx>tw�&>��l�d�$4o)s�s�LnM�σ�5�JC�ˋ�0���P�=�� �2/?>�a�xs�ܧP�}M�rAݛ39[ݴiǀxt47(.�%�2J}g�n.G))(H ��hI#r�����
Bг!,`@o!`�`[X;k� a�b
.<��Ҧ�B�I�}vn<�){T�Kh!+�K@fsfh(4{~6�cbB�|#'b�Xr`Y
�\h+|�i)lb
ը�6؛Ţrir�>�Ф7=� K���Һ<�MkD�-|' -�L#F��3p�Eql��0��Ϲp��4ğN'=Ǻ�����VV̚s=R.ƃ5�tݴ٢͙iÂqj�S�9_Aa"F�L˄r�6:eQ|a* ,q�r�dž�fX8Õ�=6q
�TfѬ||=厬m_4�@ޗJ|�zS.z:
%�r%�
5kb�$T`CfL
�q^i.;[@Lg˺z+fYT]۽/ 7�RiO4�m�
{24�@0ٖk_Xt�
jQWt(:��АT
um:bX�G��J�}Bb&^fdhQ���|sö��V/U�OLYZ�sX)Z%R{5>k憭,0!.(2n( _G�,9lVCax1��ZzG�As,ruFzY{z�l.n9�
��8{y4�%2N�?APSt
@IU5}�끆7�_ƅ/c%�|e*8tk0�ׅ])O8Ǘ6�i+�Co�{LsC�m0�Ǧ�"}zXGN6R^-!/z0iTҗKJAUc?$I?րH{A��2,exY5mI�r 'j�Y�H�t]i%rf�Hx�H_GcsHB$�T2`LH�ǎ73]�eQauywPuS3O`�lEK�5�70�M�9C���LKo=9>:ĢQ�7Ϗ9(gd%d��)>�'HR-��ʪZ��J��~~{ ��ߥ�8pc}y�0/N_10Gh�6ה��`3�\x�g�שeXTe���1�0k��fW��#SJI3$#`4��ΔsTNj�Zadz��̼z0_n?!Gjא�j8V>Cyn)�crd8+ѡ,X���rUTՖnR�U�#���tT#�C�Wt��a�3)�X�]Q�iSiQ���9SӲ*SLjH@A�5u8|X\.�``!>5z0f&Q�afY[�⺪TjՂʾ_XN+^�>
(#
`�!
Kx{�ZCAk1۩Zw]܁c:P>H(TX�g7gMEH]ac6U�{z@n�)Z-�Mӣe;4
ϢcIۛg�|1}A-r<9y�n2$8zN0JL;%95$_ۂ�3B��ItL5�֧y@<�sUJ ̿.X`#b&�T~��\x�R�glg^`+w�21OwžZ+UXc��׃0 H}�7sWn�yU=|m�*Ln1}�c�%[Ŵw)n<0{�L3gF�=6
Phn4r�l2y6PZMm"z'�"#�əV�"){~j�Z9p驔r�g�HWt�qM×˿�3~a,0r&]☆��|l'�$o,�y
U8e3 -S`e3�˕2~��g^`�.��JU-��Ah|?T\RGQ�>N<}DcE�i\jxkcO}ʧB�TuQRTbPQKJBgQ�!VA#EB�%3\�-�ܛ`@O|CO]k��2I$̸yF0ŗ!%��Kg�O@lXC�=B3tMnIo�Nk��26�`I3I9�`�{IO4c��3=#>�Yժ5UNJZZ$t`� ۳<��%�8tpL\'eM=J皽6D7<
��ϟݜ�w;s�|�R'9w>EM+v@l+J9wW|L��G\�0�R,W�1�(d�0
stn^� 6b��`
xѤ@"F<$pFMT�!PR2.V3�U/Vs>֒\zF_ɾj,<9Aϐa(�Z4SΊ
Z�`!��b!|Jg�<�AP���{ r
H)'4
�N%:�\bO;H4��VB�0F�D_TJi�)4z'u�3xj�u/)�5;E_�ſ�F½�}i�
T
�t6~OWK0�fAdQ+F+9ǭZ+=#$ubSPӃ�_Nۜr3�0(y!D(�Í7���"HtSݫ%p>�#N M5�W"ȶv=O��?�8��cl9wa�(��!t�$-zdeQnIl?c�RL锐']J؏�z>RB'T5˓$/IYO)Eqjhd�꒐~�~ j&'ءX�ґ֛�]47'8
$O�krisq/Psq%yxrŹ2k�85(~y�N�H��naJiI�gԢᬖ^}+
ɏ�x��:��a�!�?
$LONj-_gHUkv3��#��=vS�$6l��N*tb*9,_빿==RvӅce�w'�9v$st7�#g�S1%� �?g@�b )�c`0
��~U��ު.�M�M%&a�q*hcͰ<�#��s��Ñ3M�QLVwyo_ ar؆�cA�I���#Q��>j��2�}P�}1�>�2�g@m\�g )SV�~L0({8NbfƤv�I�c-�[]�n�60ق�� eAр�eb<|:n�&
��+MWHg�Ob?�=`QF$T?qE;�T�_p&@�M,5/Y��O�ȿ,Il�v�= Q��8�Y�7ΙS.I䊕ZTd
��-f{$lr<5�&+RmiM$"5K|,#c̙ڡ,�'�}}}}˯[.�bX%�qXrSMMupFXK:hpIF.RP_ۓZ�K-�4�Vmx�s8\�%�軄g��aO�kB6k�/x6
��f�<� �3^r']�3Θ�#2Jx圿ɮz$�/��_by�t,C��A]8oW|پ괯.�tQISTE:`^P]K"zg ν@ܳ�±L*�k+-�o>-�l`�$lA���䀷Fk,"K�P6⋻@8tʩ
ڷXZ[oT�?Y"FiL�+�o8@/�]kN4E�9ԱFԇo:�JW�e�F�G�f66ḗ_i]�NO[�0/?ZԵ�v
�P꒪@,�{/�8K$Nb{$�O�95gxCVsj)U
%5D�tD�/$^~3C�
mlPU
vdv$\�"�%]Pǵ'x?[е�A $�p DO�'� )"آt
f"l^Pck&Bw�E-½��i 2s��N̉=n`�"��Jb��Pޜ)4�$Ybc�uH��p2�`
�hQO7-�F]z{71sD8 D?�D�f8(d(.0eHx:u�8\cgkz_9tV4�ep>��ԙ8J^+wn]OT+x*A?WƩWrK2vr�W?�D%R�ф_|�#ķrn7
L/5`yv7H�*DDM�l߽�S�!۩9LfFRs�Z���ߤ�Em_m�au�'^�Ҫ/y�*�Gg-]f>b5�>2o}6c^�=�&ҡH3@84kI/NIn�$8�&w��QqD3g_
$�Xz��"I,�Kɻ�;#{Rs똣w
�5+|O_ܼ/Em/<#qQ}u|`42�`Ӳ�$yk�1nR,�C$&Hm~�)0
ט��!L�31݁��5n[*�?g�]�G?DڞU���Ro|֊�[NiΞCuė��qĴ}7!7^H���uʁH^�/
:ä? ��?�љ-Y?`Cp9oc䭼hud?�?~܉Y!?ǝ"STC�䉯-fHo��%Dcঀ_ع~�x�Uܘ;@�](�fw#�0b�aw9Ƕ�2V˸v0�cM[mKp=BYW�P�>8!p%�9pElX�Cy5F?P9E=Ǐ;ѭID�Nt�Q+"|]6�PVô0-"0~bJb�F�yA y!�Fvӏ;�Kb+nZJ7;$qϣX�WW�kj+� ,�Fy"�Y�"�'"�KIE�/]^|��~8�.
41���^P_Z6`;LP�#m.�MEfAȢif\1�bUZr^�:XuZ.˘xf@]��3&�ME�*ރ0H�uP�1fѽW UP+$4h9^HQ5:#�<ڜ>�bfģ
Zk�ah;Xy�cj=!v'c` �K�.қ≠D37:U�ts7S7ƔSF[Tx�vXj 1{xٍI�<�A[�Э%=�P=je�c=�Hmy1~�RI+��mݳ�Hs#TXC2IߜQF3,�飏ji+�
1 M��|<�y�g\^�kQ g��+j17�
w5k��Q�= �$0rև54
z^KjL7�"|ͱ^fs;�M��x\Hґu
�a�<{Dn�-�1K= o~{@\r
�q�,8�Ye)+�փފ> rF@Yj$O/G���P5�6W�:iO�)9o_N~��V�1!.yp樯M~��u�.��4�>(4x0<ے@xp�I<�R+��5�Y�Gcb#Vֽ?C7L>"7�5|$rkqC9ҌK1O=�0�!s~�!���6L-�
Dä"c�*41GJ[!�}s�eǤ�ۭpx�XҎ`Bx l��d
�D�pcϙ�F$�b���Nx
69��S�<�`Ψ }ڋ8쑫n炉1JO�\-B@e=D�q�{y
�#/t?�k�Dja�]*�@���`g*�#���!�Lz)%n67p>9�鍊[xdaF�� :Lma`t��.Pu�܃~7]_:
����3:%~�6t0^Q=1e&�}�n%n���K
b$�P!%�h$bcx=9`6IB20=cm?ݩi2K$&(��
�@Ka1c�~PoVR$4
>�(�>g�ٕa)豪�o7)�;ee=�=M蕴B��^��Șq�/Y�o
#�&O=lFLn�r5��_q4eMz�{G~{N�ۧk��>r:�GpXmn8~�(�hO�u{Qt۹FhR�S`ӌOP)7(-�/ח�5S�](f#ח�vF��/?��g#cF?~O:Ig}yktZ�пNF?9(w2k|e/O�i�|�g�s�e�ϲ�}2{�9ˠ��Y��e'y�WP~Q~�'�eAYF9yg9yuwAt3O�K7C\�\d�%e��^�=�@?֗�_WP~U�]ew�ʠ5_g�^g55u�%:Iʘ!g�\8=R��fr�~)A_d_�y*%qFy
3YY�~veX^dй\5�ː2Kܿ�2~62A\�u[u
CFWT=k /dmtZk8VҮ�۸/6��h}0�^ZE�/ޤr}�d%Q(w8s`�>&�\ŠMC7ao/�aKZ��ö`�ZG;o�=2dj�y }f)049KhnA���
z}�y<8ѿ6%G�x]Ib|33�7rdB΄[�W騿}asR%�u�5� 5t=_4naV�'ֆ*V<;BN;Nė/�ɱw�ؼ=5x6)��Gi1_����n�fF5�ԃ`ƨ'�dkR0E��v̸fLyC>;}6��bZ�9Ơ}֝��D#Z#X�ZNƀ_@n8݈q�e@(e6Lm (݆,g>b�.�S@7>�cc6H-m�grlC�k��vܙex#e��"�d`;Lj&'^2x��3z_FL�r(�pIdh/�0S\�q?Ih"v]!6
�R�Ň%?1ȫ/5s{Lx��9sW,|Ŷr.i�aBc M�=�X7`��ρ�s�{P|Y\�k,##1苌Y Mc�GVk�ͅ*q.w 0�,Nd=:tM�hp��aAoN[a��>$VSPsXO-N��-+sAz5/���W60D00�Y�~l+>AՋp`w�B�X�t(,�MaMă�W�v,='�IDπj���UMf@gQl(VxHB�W8lo뭻�+0\d�~\g;Urv 3R۞,���`+/]�;��g�\|]0_D=k7ezLUK80m-(EG.r�};�{�,}ݤdv/+
0b%O�vl#�HYUҎZɛ@B��PɑX�)Ns�'|omW\?��T�-kl`IN��B�`t� խ`*��s��cmC@�_ܙ91J1p$��=�)�O-[$@#5E`W�C2�DS,T6y�S*>�% �/��-il �>2z
l|�_Odxƪ~�axh=&����з��57d�(Q|
ӽ�ˍt�_d%�\ d�<�l[� !��ˌK-ˬ>s¥"UX�HN���X,8.� ktk Qh~0��r(#�<[_ڵ<�oc3��+ot%(�5x�[v�·OW�ek[$|�
_�[0~�Y��+m˕bA,\�n2?>Ş�i#K}��@ =(ۊn��`y%K@��4{��
�qS`��hwq#��ƫ1t�cVB\
(c�t!L?Q1?c5Vqٶ�7GLcݰ3Qa[:���n
ۊu�y˷TFn^�Qa[_<�tcbc,LڙB�X�<ٰ���sW=?5z��3l��:ah�o,eH&}+qd.GD�I
qk.-wv�ua4,Lb9�"[^QI�(V�жX�3e�3}"@a)5|`Ʉn�~ӧ�f<�4W�6YĶq��ynu±L���ˑ>�S��>�Z�/�.^� �{e��7�5w�S�F
\�<��A�CWq�k @3k mr7u,�r�?��s\,C��c|Ʋ�cv9zbR�r癰�W`0M�Z�.<�jgW�PR
Y
-f�1%IDb88)ҡCAȚB
>eSC'@n0\|
d9[\Oօt�v�\j /bY4~>��\9�9�.@OI"cXM1}aE�|iOR<�.rFl+�SSq�9m/݉7�,{ޗg/<\Qo�X�Ix ~�'c(FRq�O\||<(>v/c3t㆗�6>}~>oIaE�e遢%!t/[4��!ջhZɊxOο`(X��E�h�⍿c01�45]sTWVI�G�Ŷ3�HZ��W'5X-lt� o]��F'ah|N�VKI+.^�ͦG(ϗ �wE&l�)vsml-�6�C-�;���$.*��
|
Application Development 
