: OpenHack Wrap"> Much more dangerous were the approximately 240,000 malformed or illegal HTTP request attacks received by the OpenHack Web servers. Since this test was all about Web application security, manipulating HTTP requests and the parameters to those requests was the modus operandi of the more serious hackers (and is exactly the method Poteet used in his attacks).Both Oracle and Microsoft used a multilayered approach to scrubbing HTTP traffic. Oracle added specific entries in its Apache Web server httpd.conf file to immediately block URL requests containing suspect characters before the request could reach the application server. Microsoft used its freely downloadable URLScan traffic filter to scan and clean HTTP traffic before it reached the ASP engine. Both approaches were very effective, blocking many tens of thousands of dangerous requests. Oracle and Microsoft handled two other challenges—authenticating users and validating parameters—very differently, highlighting more fundamental differences between the Java and .Net development platforms. The Oracle application was based quite closely on eWEEK Labs reference application, which we had originally written in JSP and Java. This application used its own logic to authenticate users, check access control rights to pages and validate parameters. In fact, a significant portion of code on each page is devoted to security, with hundreds of such checks. However, missed checks in two places discovered by Poteets trial-and-error probing resulted in the successful cross-site scripting attacks. Both bugs were in our original code as well and had been there for some time, demonstrating how difficult it can be to find stealthy errors in existing code. Its Internet Information Services Web server cant run JSP, so Microsoft had to rewrite the OpenHack application from scratch (although Microsofts application was functionally identical to the original one). Microsoft wrote the application using ASP .Net, which has pre-written APIs that make user authentication and parameter validation simple. For example, parameter validation is done declaratively using the visual Web form builder in Visual Studio .Net, and all the code to match user input to a validation pattern regular expression is generated automatically. This approach helps to ensure that no security checks are missed and frees developer time for back-end business logic. Oracle staff recommended that Java developers take advantage of various third-party Java frameworks for user management and forms handling to get the benefits of using a more structured development process. In particular, they advised using The Apache Software Foundations Struts project, at jakarta.apache.org/ struts. Struts provides a declarative forms language that automates field and form state management as well as built-in data validation features, and has emerged as a leading structured Web application development tool for Java. We hope that the slings and arrows aimed at our OpenHack site will help enterprise security managers better gauge the threat to their own systems and take the appropriate steps to mitigate it.
Accepting user-supplied parameters, taking actions based on that data and then storing the data in a corporate database is an inherently dangerous activity; organizations need to use all the standard tools at their disposal to help filter out dangerous input before it reaches their applications.