Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: eWeek OpenHack challenge

Re: eWeek OpenHack challenge

From: Kevin Spett <kspett_at_spidynamics.com>
Date: Wed, 23 Oct 2002 15:55:31 -0400

What are you talking about? Check out
ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf. There are *ten*
Unix hosts on the OpenHack network, including Linux webservers, database
servers and OpenBSD nameservers, mailserver and firewalls.
Secondly, the focus of this is the web application layer. We're not talking
about kernel hacking here. The underlying operating system is largely (yes,
there are minor exceptions) irrelevent. Just look at the kind of things
they expect people to try-- SQL injection, cross-site scripting, etc. A
poorly designed web application is breakable regardless of what's running
underneath it.
Also, if the competition is "baseless" and "irrelevent", it's simply because
of the unbelievably ridiculous amount of care that went into the security
preparations. There are probably only a handful of web applications in the
world that got the security treatment that this thing did. The only way in
is probably through 0-day holes, and no one's wasting precious 0-day style
on OpenHack, where they'd find out what the issue was and patch it?

Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Bryce Porter" <bryce_at_thewebcircuit.com>
To: "David Wong" <david.wong_at_foundstone.com>
Cc: <webappsec_at_securityfocus.com>
Sent: Tuesday, October 22, 2002 6:02 PM
Subject: Re: eWeek OpenHack challenge

> this is a joke. they are so narrow in presenting this and they fail to
> realize that the majority of web used in commercial applications run on
some
> kind of Unix variant like Linux, HP-UX, AIX or some BSD. making a contest
> that applies to the minority of commercial applications is pretty shallow
> and baseless in my opinion.
>
> ----- Original Message -----
> From: "David Wong" <david.wong_at_foundstone.com>
> To: <webappsec_at_securityfocus.com>
> Sent: Monday, October 21, 2002 12:27 AM
> Subject: eWeek OpenHack challenge
>
>
> > eWeek is starting the 4th iteration openhack (http://www.openhack.com)
> > contest this week (http://www.eweek.com/category2/1,3960,600431,00.asp)
> >
> > This year, it's focused on application security.
> >
> > Comments?
> >
>
>
>
Received on Oct 23 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos