Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Development
    • Development

    Hack Smackdown

    Written by

    Timothy Dyck
    Published October 14, 2002
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      With OpenHack 4, eWeek Labs and a group of technology providers are again entering the security ring to test enterprise systems fortitude under real-world conditions.

      Each of the past three OpenHack tests was a challenge to hackers to take down an e-business Web site built, secured and monitored using common enterprise applications—and a unique opportunity to test these applications in the process (see story). With the OpenHack 4 test site, were focusing on an area thats becoming increasingly problem-prone: application security.

      Indeed, previously unknown security holes in Web application code provided unauthorized entry past firewalls and led to the successful attacks against the OpenHack 1 and OpenHack 2 sites. Web application programming techniques, therefore, come under close scrutiny in OpenHack 4. (OpenHack 3, protected by a trusted operating system, was not successfully hacked.)

      Although every Web application is different, the basic techniques for securing them are the same: Input query string and HTTP form post parameters must be validated; code that generates HTML must guard against cross-site scripting attacks; code that accesses a database needs to prevent SQL injection attacks; and the database itself needs to be hardened against the applications (and their potential vulnerabilities) accessing it.

      However, making sure that all this happens with every variable, page and parameter in an application is challenging, to say the least. OpenHack 4 is intended not only as a test of development techniques and applications themselves but also as a demonstration of how to program defensively and how to provide multiple interlocking layers of security.

      In building the OpenHack site, we provided two major systems software vendors—Microsoft Corp. and Oracle Corp.—with a Web-based production application developed by eWeek Labs. We asked each vendor to recode the application using the security practices recommended for their platforms.

      Microsoft and Oracle deployed and secured the applications on their choice of hardware, operating system, application server and database. Each company was responsible for the security configuration of its servers.

      Microsoft implemented its application using .Net Framework, Internet Information Services 5.0 and SQL Server 2000, all running on Windows 2000 Advanced Server. Oracle developed its application using Oracle9i Application Server Release 2 and Oracle9i Database Release 2, both running on Red Hat Inc.s Red Hat Linux Advanced Server 2.1.

      eWeek built and secured the rest of the site (see site diagram).

      Both the Microsoft and Oracle applications are up now at www.openhack.com, and we invite crackers from around the world to prove their “l33t skillz” (elite programming skills in hacker-speak) for the fun, challenge, public recognition and prize money. These prizes will be awarded for the successful completion of any of five separate penetration tasks. These represent successively more serious breaches of security: a cross-site scripting attack, a dynamic Web page source code disclosure, a Web page defacement, a SQL injection attack and theft of credit card data from the database. Denial-of-service attacks dont count and wont be credited. (See graphic for more details.)

      We feel confident, based on the coding and hardening thats been done, that none of these attacks is possible, and we hope this test will improve our current OpenHack record of one win and two losses.

      However, the first person to prove to eWeek Labs that he or she has succeeded at any crack wins for that category of attack. Only one prize will be awarded for each successful attack, and no hacks other than the ones described will merit prize money. We will acknowledge any interesting cracks, though, and their potential danger to enterprise security.

      To receive prize money, successful attackers must document cracking methodology and any security holes found.

      eWeek Labs, working with Oracle and Microsoft staffs, will fix security problems as we find them ourselves or learn about them from attackers.

      A major goal of OpenHack is to provide eWeek readers with information that will help them keep their sites more secure. Full details of the OpenHack site configuration and test updates will be available at www.openhack.com and www.eweek.com/openhack. (Based on past experience, the OpenHack site will be under heavy load for the first few days of the test, so the eWeek site will provide a second communication channel). After completion of the test, source code will also be made available.

      Those developing dynamic Web applications on either Microsoft or Oracle software will be able to cross-check our setup against their own configurations. The security techniques used are also general enough that they will apply to any organization developing Web applications that access database content. The Microsoft test application can be directly accessed at https://www.ms.openhack.com/default.aspx; the Oracle test application can be directly accessed at https://www.oracle.openhack.com/openhack/index.jsp.

      As the test proceeds, well be watching the logs and intrusion detection reports the way an owl watches for mice (or perhaps, given the attacks we might get, the way mice watch for owls).

      Are you ready to rumble? Let the hacking begin!

      West Coast Technical Director Timothy Dyck is at [email protected].

      Timothy Dyck
      Timothy Dyck
      Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.