Comment As realistic as possible my eye! (Score 2, Interesting) 545
This site isn't "realistic" at all!
A "realistic" website would have some dynamically created pages, or forms, or a shopping cart. These guys have setup a "realistic" site meaning that it serves some html pages via http. All their pages are static.
The site is probably indeed unhackable. That is, unless someone discovers a buffer overflow in URLScan or IIS itself and doesn't notify M$ before they develop an exploit. But, the site's also useless to any business who actually uses the internet for generating revenue instead of just a glorified phone book.
Setting up a hardened server with static pages is simple... refuse all verbs except for GET; don't process any user input (= no asp/perl/php pages, no forms); run it under a non-privileged account with access to absolutely nothing (no databases, no files other than the static html); disable all of the web admin services.
If they were to write some ASP using a MS SQL database backend and then challenge the security community to a duel, I'd be impressed.
A chrooted 'nobody' context apache server running pages off of a ramdisk that's updated from CD every half hour would be just as unhackable. Plus , with syncookies enabled, it would be faster and less susceptible to the /. effect. That site is crawling! But, again with static only pages, what's it good for?
A "realistic" website would have some dynamically created pages, or forms, or a shopping cart. These guys have setup a "realistic" site meaning that it serves some html pages via http. All their pages are static.
The site is probably indeed unhackable. That is, unless someone discovers a buffer overflow in URLScan or IIS itself and doesn't notify M$ before they develop an exploit. But, the site's also useless to any business who actually uses the internet for generating revenue instead of just a glorified phone book.
Setting up a hardened server with static pages is simple... refuse all verbs except for GET; don't process any user input (= no asp/perl/php pages, no forms); run it under a non-privileged account with access to absolutely nothing (no databases, no files other than the static html); disable all of the web admin services.
If they were to write some ASP using a MS SQL database backend and then challenge the security community to a duel, I'd be impressed.
A chrooted 'nobody' context apache server running pages off of a ramdisk that's updated from CD every half hour would be just as unhackable. Plus , with syncookies enabled, it would be faster and less susceptible to the
