With OpenHack 4, eWeek Labs and a group of technology providers are again entering the security ring to test enterprise systems fortitude under real-world conditions.
Each of the past three OpenHack tests was a challenge to hackers to take down an e-business Web site built, secured and monitored using common enterprise applications—and a unique opportunity to test these applications in the process (see story). With the OpenHack 4 test site, were focusing on an area thats becoming increasingly problem-prone: application security.
Indeed, previously unknown security holes in Web application code provided unauthorized entry past firewalls and led to the successful attacks against the OpenHack 1 and OpenHack 2 sites. Web application programming techniques, therefore, come under close scrutiny in OpenHack 4. (OpenHack 3, protected by a trusted operating system, was not successfully hacked.)
Although every Web application is different, the basic techniques for securing them are the same: Input query string and HTTP form post parameters must be validated; code that generates HTML must guard against cross-site scripting attacks; code that accesses a database needs to prevent SQL injection attacks; and the database itself needs to be hardened against the applications (and their potential vulnerabilities) accessing it.
However, making sure that all this happens with every variable, page and parameter in an application is challenging, to say the least. OpenHack 4 is intended not only as a test of development techniques and applications themselves but also as a demonstration of how to program defensively and how to provide multiple interlocking layers of security.
In building the OpenHack site, we provided two major systems software vendors—Microsoft Corp. and Oracle Corp.—with a Web-based production application developed by eWeek Labs. We asked each vendor to recode the application using the security practices recommended for their platforms.
Microsoft and Oracle deployed and secured the applications on their choice of hardware, operating system, application server and database. Each company was responsible for the security configuration of its servers.
Microsoft implemented its application using .Net Framework, Internet Information Services 5.0 and SQL Server 2000, all running on Windows 2000 Advanced Server. Oracle developed its application using Oracle9i Application Server Release 2 and Oracle9i Database Release 2, both running on Red Hat Inc.s Red Hat Linux Advanced Server 2.1.
eWeek built and secured the rest of the site (see site diagram).
Both the Microsoft and Oracle applications are up now at www.openhack.com, and we invite crackers from around the world to prove their “l33t skillz” (elite programming skills in hacker-speak) for the fun, challenge, public recognition and prize money. These prizes will be awarded for the successful completion of any of five separate penetration tasks. These represent successively more serious breaches of security: a cross-site scripting attack, a dynamic Web page source code disclosure, a Web page defacement, a SQL injection attack and theft of credit card data from the database. Denial-of-service attacks dont count and wont be credited. (See graphic for more details.)
We feel confident, based on the coding and hardening thats been done, that none of these attacks is possible, and we hope this test will improve our current OpenHack record of one win and two losses.
However, the first person to prove to eWeek Labs that he or she has succeeded at any crack wins for that category of attack. Only one prize will be awarded for each successful attack, and no hacks other than the ones described will merit prize money. We will acknowledge any interesting cracks, though, and their potential danger to enterprise security.
To receive prize money, successful attackers must document cracking methodology and any security holes found.
eWeek Labs, working with Oracle and Microsoft staffs, will fix security problems as we find them ourselves or learn about them from attackers.
A major goal of OpenHack is to provide eWeek readers with information that will help them keep their sites more secure. Full details of the OpenHack site configuration and test updates will be available at www.openhack.com and www.eweek.com/openhack. (Based on past experience, the OpenHack site will be under heavy load for the first few days of the test, so the eWeek site will provide a second communication channel). After completion of the test, source code will also be made available.
Those developing dynamic Web applications on either Microsoft or Oracle software will be able to cross-check our setup against their own configurations. The security techniques used are also general enough that they will apply to any organization developing Web applications that access database content. The Microsoft test application can be directly accessed at https://www.ms.openhack.com/default.aspx; the Oracle test application can be directly accessed at https://www.oracle.openhack.com/openhack/index.jsp.
As the test proceeds, well be watching the logs and intrusion detection reports the way an owl watches for mice (or perhaps, given the attacks we might get, the way mice watch for owls).
Are you ready to rumble? Let the hacking begin!
West Coast Technical Director Timothy Dyck is at [email protected]