Whenever I bring up the OpenHack 4 competition, most aren’t ware of it. It was an interesting study because it was effectively an open “hack me with your best shot” competition.
I happened to know the folks on the MS side, like Erik Olson and Girish Chander, that helped secure the application, so it had some of the best available security engineering. In fact, customers commented that it’s great that Microsoft can secure its applications … but what about its customers? That comment was inspiration for our Improving Web Application Security:Threats and Countermeasures guide.
I’ve summarize OpenHack 4 here, so it’s easier for me to reference.
Overview of OpenHack 4
In October 2002, eWeek Labs launched its fourth annual OpenHack online security contest. It was designed to test enterprise security by exposing systems to the real-world rigors of the Web. Microsoft and Oracle were given a sample Web application by eWeek and were asked to redevelop the application using their respective technologies. Individuals were then invited to attempt to compromise the security of the resulting sites. Acceptable breaches included of cross-site scripting attacks, dynamic Web page source code disclosure, Web page defacement, posting malicious SQL commands to the databases, and theft of credit card data from the databases used.
Outcome of the Competition
The Web site built by Microsoft engineers using the Microsoft .NET Framework, Microsoft Windows 2000 Advanced Server, Internet Information Services 5.0, and Microsoft SQL Server 2000 successfully withstood over 82,500 attempted attacks to emerge from the eWeek OpenHack 4 competition unscathed.
For more information on implementation details of the Microsoft Web application and configuration used for the OpenHack competition, see “Building and Configuring More Secure Web Sites: Security Best Practices for Windows 2000 Advanced Server, Internet Information Services 5.0, SQL Server 2000, and the .NET Framework”