ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Hacking contest spotlights many ways to attack Web sites

November 3, 1999
Web posted at: 9:05 a.m. EST (1405 GMT)

by Stuart McClure and Joel Scambray


(IDG) -- Another hacking contest was held recently, offering a reward to the first individual able to subvert the "secured" versions of a Windows NT or Linux Web server. Although this particular challenge to the public is great for publicity, it does little to prove one platform's superiority over another's (at least as it pertains to security).

In our minds, the real measure of a secure OS is not how secure you can make an operating system, but how secure it is 90 percent of the time. In other words, how secure is the OS with the default, out-of-the-box settings? It's pointless to check the security level of an operating system after closing its leaks. Just about any operating system can be made secure (outside of the fundamental buffer-overflow flaws).

What the security community did gain from the hacking contest, however, is a bigger, brighter spotlight on a topic we've written and talked about many times: Web hacking.

In many ways Web hacking is different from traditional system or application hacking because the attack takes place almost entirely over HTTP (via TCP port 80). As a result, firewalls and most security software completely overlook Web hacking.

Speaking specifically, Web hacking is the art of taking advantage of mistakes in Web design. Whether they use default scripts to allow files to be uploaded onto a Web server or exploit a failure in the way a Web server treats environmental variables, Web hacking techniques can be potent attacks and difficult to defend against.

Anatomy of technique

The winner of this recent hacking contest was a hacker by the name of JFS, who is associated with the hacker group !Hispahack. JFS exploited a CGI Web-server vulnerability that allowed him to upload and execute any file at his whim. The blow-by-blow account of his technique is discussed online.

You may need to read it a couple of times, but it's well worth your while. JFS does an excellent job of describing the mindset of an attacker and how to deal with roadblocks and find ways around them.

The simple version of JFS' adventure is this: After discovering a package installed on the Linux Web server called photoads, JFS exploited a CGI program in the package called photo.cgi to upload a Linux binary file (disguised as a CGI script). Once the correctly handcrafted binary was uploaded onto the local system, he simply ran a setUID shell to copy his modified default Web page to the target system.

This example is but one of the numerous ways into a Web server. The simplicity of a dozen other attacks -- such as hidden tags, root-dot-dot bugs, server-side includes, and mod_perl HTML embedded commands -- have made Web-server hacking a popular pastime indeed.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Year 2000 World
  E-business World
  Chaos Computer Club offers hackers holiday
  How to stay secure online
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

If you don't believe us when we say incidents of Web hacking are widespread, just read the paper. The Associated Press recently picked up the story of George Bush's Web site being hacked. Also, check out the defaced-site list archive at

It's only just begun

The exploits performed by JFS and others to subvert poorly written or poorly coded applications are just now beginning to litter the information superhighway. We predict that during the next two to three years there will be a flood of hacking techniques discovered and exploited to subvert Web pages.

The very design of e-commerce applications requires the combination of numerous applications working together in a tight, well-orchestrated mesh of Web server, transaction server, and database. All of these products naturally increase the hacking opportunities. Short of implementing a secure operating system such as Gibraltar, from Argus Systems or a Web-filtering product such as AppShield, from Perfecto Technologies, there is no single-product solution to this problem outside of secure development and programming.

Firewalls can't really solve this problem either; they perform little application-content checking, even as a proxy firewall. Intrusion-detection solutions look only for known signatures or monitor logs, and there are literally millions of potential product and vulnerability-signature combinations in most e-commerce applications. Add to this the fact that these applications and the networks they run on are changing dynamically every minute, and you've got a difficult problem calling for a solution.

Today's solution is to employ security-savvy programmers, technicians, and managers to ferret out the holes in insecure programs. Then keep them well trained; the cost of keeping your staff ready is dwarfed by the potential losses due to a security breach. How do you address your Web-server security woes? Let us know!

tuart McClure is an independent security consultant with Rampart Security Group. Joel Scambray is a consultant with Ernst & Young. They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne/ McGraw-Hill).

Is it time for Net cops?
October 27, 1999
The hacker in all of us
October 12, 1999
Dictionary defines cyber-threats
October 4, 1999
Justice Dept. funds antihacking campaign
October 4, 1999
Bike Web site hacks itself after four attacks
October 4, 1999

Chaos Computer Club offers hackers holiday
(Network World Fusion)
New high-speed Net access services give unwanted snoopers a real opportunity
(InfoWorld Electric)
How secure is your Web site? Answer this quiz and find out!
Intrusion-detection software is hot, but can it really stop hackers cold?
(Network World Fusion)
Hotmail hack shows risks of Web e-mail
(Network World Fusion)
Interview with Carolyn Meinel, the Happy Hacker
(PC World Online)
Ernst & Young teaches the fine art of hacking at your site
(InfoWorld Electric)
New York Times Web site hacker group unearths an important role for the media
(InfoWorld Electric)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

JFS' account of his contest-winning hack
Argus Systems
Perfecto Technologies
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.