Page Three

By Timothy Dyck  |  Posted 2002-12-02 Print this article Print

: OpenHack Wrap">

Much more dangerous were the approximately 240,000 malformed or illegal HTTP request attacks received by the OpenHack Web servers. Since this test was all about Web application security, manipulating HTTP requests and the parameters to those requests was the modus operandi of the more serious hackers (and is exactly the method Poteet used in his attacks).

Accepting user-supplied parameters, taking actions based on that data and then storing the data in a corporate database is an inherently dangerous activity; organizations need to use all the standard tools at their disposal to help filter out dangerous input before it reaches their applications.

Both Oracle and Microsoft used a multilayered approach to scrubbing HTTP traffic.

Oracle added specific entries in its Apache Web server httpd.conf file to immediately block URL requests containing suspect characters before the request could reach the application server. Microsoft used its freely downloadable URLScan traffic filter to scan and clean HTTP traffic before it reached the ASP engine. Both approaches were very effective, blocking many tens of thousands of dangerous requests.

Oracle and Microsoft handled two other challenges—authenticating users and validating parameters—very differently, highlighting more fundamental differences between the Java and .Net development platforms.

The Oracle application was based quite closely on eWEEK Labs reference application, which we had originally written in JSP and Java. This application used its own logic to authenticate users, check access control rights to pages and validate parameters.

In fact, a significant portion of code on each page is devoted to security, with hundreds of such checks. However, missed checks in two places discovered by Poteets trial-and-error probing resulted in the successful cross-site scripting attacks. Both bugs were in our original code as well and had been there for some time, demonstrating how difficult it can be to find stealthy errors in existing code.

Its Internet Information Services Web server cant run JSP, so Microsoft had to rewrite the OpenHack application from scratch (although Microsofts application was functionally identical to the original one).

Microsoft wrote the application using ASP .Net, which has pre-written APIs that make user authentication and parameter validation simple. For example, parameter validation is done declaratively using the visual Web form builder in Visual Studio .Net, and all the code to match user input to a validation pattern regular expression is generated automatically. This approach helps to ensure that no security checks are missed and frees developer time for back-end business logic.

Oracle staff recommended that Java developers take advantage of various third-party Java frameworks for user management and forms handling to get the benefits of using a more structured development process.

In particular, they advised using The Apache Software Foundations Struts project, at struts. Struts provides a declarative forms language that automates field and form state management as well as built-in data validation features, and has emerged as a leading structured Web application development tool for Java.

We hope that the slings and arrows aimed at our OpenHack site will help enterprise security managers better gauge the threat to their own systems and take the appropriate steps to mitigate it.

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel