Additional Blogs by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TechEd Security Zone

Former Member
‎10-15-2007 9:39 AM
0 Kudos

"The security guys have landed. Again."

Just in time for this year's TechEd, me and my team have prepared a new security challenge for everyone inside and outside the SDN/BPX community attending the conference in Munich.

What's in it for you? As it almost became a tradition over the past years, we will give away an iPod for the winner of our contest. It will be a nice, black, iPOD 30 GB this year.

OK, how can you win? We have built yet another insecure Web application (on purpose, naturally) and you have to find the weak points. We will provide a list of 3 tasks, each with one hidden vulnerability associated to it. Those who find all the bugs in 30 minutes qualify for the showdown. Showdown means, that the best three will compete live in a final round.

You have no idea how to do that? No problem at all, just visit the Security Zone in the SDN Clubhouse and we will show you how.
If you have never been confronted with attacks on the application level, this will be an eye opener, especially to those of you who live in the non-geek world. That is, there are no excuses not to visit.

As a warm-up and first part of the challenge, check out these few lines of code and find out what kind(s) of attack is/are possible here. Just come up to the Security Zone with your findings and you'll get some extra points for the competition.

--

<br />// really dangerous, don't-do-this-at-work JSP code<br /><%    <br />   String aboutMe = "";<br />   aboutMe = (String) request.getParameter("aboutme");<br />   <br />   if (aboutMe == null) {<br />      aboutMe = "";<br />   }<br />   <br />   aboutMe = aboutMe.replaceAll("://|\"|<|>", "");<br />%><br />   <table border="0" cellpadding="0" cellspacing="0" width="100%"><br />      <tr><br />         <td>The author's "about me" page</td><br />      </tr><br />      <tr><br />         <td><br />            <iframe src="<%=aboutMe%>"><br />         </td><br />      </tr><br />   </table> <p>--



Again, if you have no idea what the problem might be, just come up to me and I will enlighten you.

So, with this year's approach, I hope there's something in it for all of you. And I am very much looking forward to welcoming a lot of aspiring security experts in the Clubhouse.

Cheers,<br />Andreas</p>

Popular Blog Posts