HP Hacking Challenge Yields Surprising Results

Last week, HP (NYSE: HPQ) held a hacking challenge to test participants’ security abilities.

The challenge had both an internal HP and a public online component, with the purpose of teaching people about security by putting them through a series of challenges. Those challenges were based on real-world login examples, with participants trying to figure out how to break in by taking advantage of Web application security vulnerabilities.

While HP has a number of commercial products that are used to help IT administrators secure their environments, the company believes that tools alone are not enough to meet the hacking challenge.

“Most of our log-in challenges were designed to subvert tools,” Matt Wood, senior security research at HP web security research group, told InternetNews.com. “The way they were designed, HP WebInspect or any other Web application scanning tool would not have been able to identify every single one of the hacks automatically.”

HP WebInspect is HP’s automated test suite for helping users quickly find security vulnerabilities. The platform was upgraded earlier this year to version 8, with additional Flash and JavaScript inspection capabilities.

Wood said 446 individuals participated in the hacking challenge, of whom 52 percent were able to solve the first challenge, which was a JavaScript log-in that could be determined and bypassed by a researcher if they simply viewed the underlying HTML source code.

“They viewed the source code and were able to understand the JavaScript,” Wood said. “It gives you a good baseline of how many people understand what is on the Internet and how willing they are to explore a Web page beyond just looking at a page inside of a browser.”

While more than half the participants could solve the JavaScript challenge, by the fifth level only 9 percent of the 446 participants made the cut.

The fifth challenge involved a SQL injection vulnerability that participants needed to exploit. SQL Injection attacks are among the most commonly found type of vulnerabilities. The Heartland Payment Systems security breach, which nabbed over 130 million credit cards, stemmed from a SQL Injection.

The challenges were not just theoretical scenarios.

“Basically, the challenges were very distilled versions of examples we saw online,” Wood said.

The most difficult level of the HP hacking challenge was the hidden sixth level, which only two people were able to solve. Wood declined to detail the vulnerability, though he did hint at what it involved.

“While you’re visiting Web pages, the Web browser makes specific requests to files that are on the Web page that you’re not even aware you are making requests for,” Wood said. “So your browser makes a request for the .fav icon, the little icon that shows up in a browser address bar, and there are other little ones like that where if you’re not monitoring those requests through a proxy, you might miss the hint for the hidden challenge.”

Overall, Wood noted that the challenge results serve as validation that more education is needed when it comes to Web security techniques. Web scanners alone aren’t enough to secure applications for a number of important reasons.

“Trying to use a Web page automatically is really different from a user trying to use the Web page,” Wood said. “We have all sorts of visual cues, like images and font sizes that are difficult techniques for an automated scanner to detect.”

News Around the Web