Last week, HP (NYSE: HPQ) held a hacking challenge to test participants’ security abilities.
The challenge had both an internal HP and a public online component, with the purpose of teaching people about security by putting them through a series of challenges. Those challenges were based on real-world login examples, with participants trying to figure out how to break in by taking advantage of Web application security vulnerabilities.
While HP has a number of commercial products that are used to help IT administrators secure their environments, the company believes that tools alone are not enough to meet the hacking challenge.
“Most of our log-in challenges were designed to subvert tools,” Matt Wood, senior security research at HP web security research group, told InternetNews.com. “The way they were designed, HP WebInspect or any other Web application scanning tool would not have been able to identify every single one of the hacks automatically.”
The fifth challenge involved a SQL injection vulnerability that participants needed to exploit. SQL Injection attacks are among the most commonly found type of vulnerabilities. The Heartland Payment Systems security breach, which nabbed over 130 million credit cards, stemmed from a SQL Injection.
The challenges were not just theoretical scenarios.
“Basically, the challenges were very distilled versions of examples we saw online,” Wood said.
The most difficult level of the HP hacking challenge was the hidden sixth level, which only two people were able to solve. Wood declined to detail the vulnerability, though he did hint at what it involved.
“While you’re visiting Web pages, the Web browser makes specific requests to files that are on the Web page that you’re not even aware you are making requests for,” Wood said. “So your browser makes a request for the .fav icon, the little icon that shows up in a browser address bar, and there are other little ones like that where if you’re not monitoring those requests through a proxy, you might miss the hint for the hidden challenge.”
Overall, Wood noted that the challenge results serve as validation that more education is needed when it comes to Web security techniques. Web scanners alone aren’t enough to secure applications for a number of important reasons.
“Trying to use a Web page automatically is really different from a user trying to use the Web page,” Wood said. “We have all sorts of visual cues, like images and font sizes that are difficult techniques for an automated scanner to detect.”