November 3, 1999 Web posted at: 9:05 a.m. EST (1405 GMT) by Stuart McClure and Joel Scambray

From...

(IDG) -- Another hacking contest was held recently, offering a reward to the first individual able to subvert the "secured" versions of a Windows NT or Linux Web server. Although this particular challenge to the public is great for publicity, it does little to prove one platform's superiority over another's (at least as it pertains to security).

In our minds, the real measure of a secure OS is not how secure you can make an operating system, but how secure it is 90 percent of the time. In other words, how secure is the OS with the default, out-of-the-box settings? It's pointless to check the security level of an operating system after closing its leaks. Just about any operating system can be made secure (outside of the fundamental buffer-overflow flaws).

What the security community did gain from the hacking contest, however, is a bigger, brighter spotlight on a topic we've written and talked about many times: Web hacking.

In many ways Web hacking is different from traditional system or application hacking because the attack takes place almost entirely over HTTP (via TCP port 80). As a result, firewalls and most security software completely overlook Web hacking.

Speaking specifically, Web hacking is the art of taking advantage of mistakes in Web design. Whether they use default scripts to allow files to be uploaded onto a Web server or exploit a failure in the way a Web server treats environmental variables, Web hacking techniques can be potent attacks and difficult to defend against.

Anatomy of technique

The winner of this recent hacking contest was a hacker by the name of JFS, who is associated with the hacker group !Hispahack. JFS exploited a CGI Web-server vulnerability that allowed him to upload and execute any file at his whim. The blow-by-blow account of his technique is discussed online.

You may need to read it a couple of times, but it's well worth your while. JFS does an excellent job of describing the mindset of an attacker and how to deal with roadblocks and find ways around them.

The simple version of JFS' adventure is this: After discovering a package installed on the Linux Web server called photoads, JFS exploited a CGI program in the package called photo.cgi to upload a Linux binary file (disguised as a CGI script). Once the correctly handcrafted binary was uploaded onto the local system, he simply ran a setUID shell to copy his modified default Web page to the target system.

This example is but one of the numerous ways into a Web server. The simplicity of a dozen other attacks -- such as hidden tags, root-dot-dot bugs, server-side includes, and mod_perl HTML embedded commands -- have made Web-server hacking a popular pastime indeed.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
E-business World
Chaos Computer Club offers hackers holiday
How to stay secure online
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

If you don't believe us when we say incidents of Web hacking are widespread, just read the paper. The Associated Press recently picked up the story of George Bush's Web site being hacked. Also, check out the defaced-site list archive at Attrition.org.

It's only just begun

The exploits performed by JFS and others to subvert poorly written or poorly coded applications are just now beginning to litter the information superhighway. We predict that during the next two to three years there will be a flood of hacking techniques discovered and exploited to subvert Web pages.

The very design of e-commerce applications requires the combination of numerous applications working together in a tight, well-orchestrated mesh of Web server, transaction server, and database. All of these products naturally increase the hacking opportunities. Short of implementing a secure operating system such as Gibraltar, from Argus Systems or a Web-filtering product such as AppShield, from Perfecto Technologies, there is no single-product solution to this problem outside of secure development and programming.

Firewalls can't really solve this problem either; they perform little application-content checking, even as a proxy firewall. Intrusion-detection solutions look only for known signatures or monitor logs, and there are literally millions of potential product and vulnerability-signature combinations in most e-commerce applications. Add to this the fact that these applications and the networks they run on are changing dynamically every minute, and you've got a difficult problem calling for a solution.

Today's solution is to employ security-savvy programmers, technicians, and managers to ferret out the holes in insecure programs. Then keep them well trained; the cost of keeping your staff ready is dwarfed by the potential losses due to a security breach. How do you address your Web-server security woes? Let us know!

tuart McClure is an independent security consultant with Rampart Security Group. Joel Scambray is a consultant with Ernst & Young. They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne/ McGraw-Hill).