Proactive Site Protection Stood up to the Hacker Pressure

Bitrix, Inc. and Positive Technologies organized a competition during the Chaos Constructions '2009 (CC9) computer festival; the contestants were asked to bypass the proactive protection of a specially created site that worked on the basis of the platform «1C-Bitrix: Site Management» with a Web Application Firewall (WAF) filter turned on and to exploit prepared vulnerabilities of various types.The Positive Technologies company had tested the «1C-Bitrix: Site Management» WAF and confirmed its compliance with Web Application Firewall Evaluation Criteria worked out by Web Application Security Consortium. Over 600 experts tried to cope with the competition task and to exploit prepared site vulnerabilities (SQL-Injection, Cross-Site Scripting, Path Traversal, and Local File Inclusion). During the two festival days, more that 25 000 attacks were registered and repelled. Among the contestants, there were not only those who attended the festival; all comers were encouraged to work with the site from the Internet.The competition results were evaluated by a group of security experts from Positive Technologies and Bitrix, Inc. Marsel Nizaque, an information security expert from Bitrix, Inc., noted: «In the course of the competition, we were observing contestants trying to bypass the Proactive Protection and progressively increasing the attack complexity. The only way to bypass the protection was found by a highly skilled expert, who managed to use the Internet Explorer weaknesses. The exploit proposed by him was able to bypass our WAF, as well as all filters of other professional developers we know. To be more precise, it doesn’t bypass ours any more. I am quite satisfied with the competition results. We gained a chance to test the Proactive Protection system under extremely stern conditions. On the basis of the competition results, we improved the product algorithms and provided our consumers with a higher security level. We shall keep investigating the information security issues and improving the product protection system».Dmitri Evteev, an information security expert from Positive Technologies, Consulting and Audit Department, made special mention of high engineering competence of the contestants: “One of the developers of the w3af web-application security scanner visited the festival; he was among other participants trying to conduct an attack. Many contestants were working almost continuously! During the competition, the Proactive Protection with WAF, as well as the entire Bitrix platform went through an excellent stress-testing. The competition results were presumable; they coincide with the results obtained in the process of certification of the Proactive Protection module. We expected that the contestants would manage to exploit a Cross-Site Scripting vulnerability, because if the attacks of this type were absolutely blocked, then there would be a large number of false detection alerts. Nobody managed to exploit any critical vulnerabilities.”The competition winners are:Vladimir Vorontsov (nickname d0znp), an information security expert. Vladimir was the first to find the most complicated and interesting way to bypass the Proactive Protection filter, which can be used in Internet Explorer only and exploits its weaknesses. The first place was rewarded with a communicator.The second and the third places were taken by the contestants with nicknames insa (found a little misprint in the code of the Proactive Protection filter) and ParanoidChaos (awarded for the shown enthusiasm and persistence) respectively. The second and the third places were rewarded with licenses for the «1C-Bitrix: Site Management» product.Dmitri Evteev conducts a seminar about Web Application Firewall bypassing methods at the festival.