September 2, 2009 at 13:12Crash test for CMS
The idea of creating a module for Proactive Defense (Web Application Firewall) came to mind a very long time ago. But it was possible to implement it only in version 8.0 this spring. And immediately ideas arose, and not whether to check the protection system and whether to arrange an open competition.
Many have asked me - why do we need this? To which I can only answer that the goal of the entire defense system and the entire competition is to make our product better, to give more confidence to customers and developers. And this can only be done in practice.
For some reason, an analogy with cars comes to mind. In the first cars, they did not even think about the safety of the driver and passengers. Then passive safety systems appeared, i.e. who protected people already at the time of the accident. This is for example airbags in the car. And as a next step, active protection systems appeared - ABS, stability control systems ESP, EBD, etc. These systems already help the driver to avoid an accident, taxi for him, get him out of the drift, save his life ...
It turns out that we are using the "Proactive Defense" system to avoid problematic situations even when the situation was not under control. But as in cars, you can check the reliability of systems only by arranging a crash test .
And such an opportunity turned up. Last weekend in St. Petersburg there was a hacker festival (that's what it's called) Chaos Construction 2009.
Together with Positive Technologies , our long-standing partners, we organized a contest, the participants of which needed to be able to circumvent the site's “Proactive Defense” system and use pre-prepared different types of vulnerabilities.
Those. we deliberately created a site with four pages on each of which created different types of vulnerabilities: SQL-Injection, Cross-Site Scripting (XSS), Path Traversal and Local File Including.
After that, we turned on our Web Application Firewall system, which has been included in the product since version 8.0 and, if I may say so, shielded error pages.
Such a test repeats the situation of errors made by web developers when creating the site, and verifies that their protection system successfully screened them.
We all really wanted to know the result of the test and understand whether someone could find ways to work around and how difficult it would be.
Within two days, the server was available for competitors. Over 25,000 attacks were recorded and repelled. The competition was attended by hackers who attended the CC9 festival and worked with the site via the Internet. In total, about 600 people participated in the competition.
With Marcel Nizamutdinov, our information security specialist, we discussed the course of the competition. I will give the comment Marcel gave:
“Throughout the competition, we observed from the side how actively the participants tried to circumvent the“ Proactive Defense ”, gradually increasing the complexity of the options. The only and unique workaround was found by a highly skilled specialist who managed to exploit the flaws of Internet Explorer. The option he proposed circumvented not only our WAF, but also all the filters of other professional developers known to us. More precisely, ours is not getting around :) I am very pleased with the results of the contest. We were able to test the Proactive Defense system in very difficult conditions. According to the results of the competition, we improved the product algorithms and provided a greater level of security for our customers. We will continue to research information security issues and improve the product protection system. ”
Indeed, according to the results of the competition, we gave out 3 prizes.
I place was taken by Vladimir Vorontsov (pseudonym d0znp). He was the first to find a complex and interesting way to bypass the Proactive Defense filter, which works exclusively in Internet Explorer and uses its shortcomings.
As colleagues from Positive Technologies commented on me, Vladimir Vorontsov, an expert in the field of information security, is professionally involved in analyzing the security of Web applications, the author of many articles in various thematic magazines on information security, and supports the onsec.ru project.
The prize for first place is the HTC T4242 Cruise Touch II. The prize was awarded to the winner personally in our Moscow office. The winner refused to be photographed for reasons known to him.
He himself commented on the contest: “It's nice that the developers pay such attention to the issue of the safety of their products and quickly eliminate the risks. "I would like to wish other web application developers to keep the same course in their relations with information security researchers."
II place was taken by a participant with the pseudonym insa, who discovered a small typo in the code of the Proactive Defense filter.
The third place for the enthusiasm in the competition was taken by the participant ParanoidChaos.
Prizes for second and third place - licenses for the product "1C-Bitrix: Site Management" (edition of "Standard").
As Marcel already said, the identified Proactive Defense bypass features have been taken into account and the corresponding changes have been made to the Web Application Firewall filter. We closed the method by which the winner used the features of IE and an update to the filter was already received in the SiteUpdate update system.
I’ll give another comment by Dmitry Evteev, an information security expert at the consulting and audit department of Positive Technologies: “One of the developers of the w3af web application security scanner, who, together with other participants, tried to attack, was present at the SS. Many of the WAF filter bypass contestants worked almost continuously! The contest conducted excellent stress testing of both proactive defense with WAF and the entire 1C-Bitrix platform. The results of the competition are expected and coincide with those obtained during the certification of the proactive defense module. We assumed that participants would be able to demonstrate the exploitation of the Cross-Site Scripting vulnerability, since the complete blocking of this type of attack leads to a large number of false positives. Nobody managed to exploit critical vulnerabilities. ”
I believe that we coped with a difficult task very well! I think that we will continue to make efforts in the direction of security. Perhaps we will take part in this or similar international competitions to test the product and ourselves in the future.
I take this opportunity to draw the attention of developers to the fact that despite our optimism, Proactive Defense does not shield the head. You should still try to write secure applications, think about the solutions you create. And just like the exchange rate stability systems in cars, Proactive Defense does not guarantee avoidance of a collision with a tree, it is only an effective tool to help you in your daily work. Good luck everyone!
A couple more photos from the festival. But strange, there were few of them on the network and almost all without faces.
Many have asked me - why do we need this? To which I can only answer that the goal of the entire defense system and the entire competition is to make our product better, to give more confidence to customers and developers. And this can only be done in practice.
For some reason, an analogy with cars comes to mind. In the first cars, they did not even think about the safety of the driver and passengers. Then passive safety systems appeared, i.e. who protected people already at the time of the accident. This is for example airbags in the car. And as a next step, active protection systems appeared - ABS, stability control systems ESP, EBD, etc. These systems already help the driver to avoid an accident, taxi for him, get him out of the drift, save his life ...
It turns out that we are using the "Proactive Defense" system to avoid problematic situations even when the situation was not under control. But as in cars, you can check the reliability of systems only by arranging a crash test .
And such an opportunity turned up. Last weekend in St. Petersburg there was a hacker festival (that's what it's called) Chaos Construction 2009.
Together with Positive Technologies , our long-standing partners, we organized a contest, the participants of which needed to be able to circumvent the site's “Proactive Defense” system and use pre-prepared different types of vulnerabilities.
Those. we deliberately created a site with four pages on each of which created different types of vulnerabilities: SQL-Injection, Cross-Site Scripting (XSS), Path Traversal and Local File Including.
After that, we turned on our Web Application Firewall system, which has been included in the product since version 8.0 and, if I may say so, shielded error pages.
Such a test repeats the situation of errors made by web developers when creating the site, and verifies that their protection system successfully screened them.
We all really wanted to know the result of the test and understand whether someone could find ways to work around and how difficult it would be.
Within two days, the server was available for competitors. Over 25,000 attacks were recorded and repelled. The competition was attended by hackers who attended the CC9 festival and worked with the site via the Internet. In total, about 600 people participated in the competition.
With Marcel Nizamutdinov, our information security specialist, we discussed the course of the competition. I will give the comment Marcel gave:
“Throughout the competition, we observed from the side how actively the participants tried to circumvent the“ Proactive Defense ”, gradually increasing the complexity of the options. The only and unique workaround was found by a highly skilled specialist who managed to exploit the flaws of Internet Explorer. The option he proposed circumvented not only our WAF, but also all the filters of other professional developers known to us. More precisely, ours is not getting around :) I am very pleased with the results of the contest. We were able to test the Proactive Defense system in very difficult conditions. According to the results of the competition, we improved the product algorithms and provided a greater level of security for our customers. We will continue to research information security issues and improve the product protection system. ”
Indeed, according to the results of the competition, we gave out 3 prizes.
I place was taken by Vladimir Vorontsov (pseudonym d0znp). He was the first to find a complex and interesting way to bypass the Proactive Defense filter, which works exclusively in Internet Explorer and uses its shortcomings.
As colleagues from Positive Technologies commented on me, Vladimir Vorontsov, an expert in the field of information security, is professionally involved in analyzing the security of Web applications, the author of many articles in various thematic magazines on information security, and supports the onsec.ru project.
The prize for first place is the HTC T4242 Cruise Touch II. The prize was awarded to the winner personally in our Moscow office. The winner refused to be photographed for reasons known to him.
He himself commented on the contest: “It's nice that the developers pay such attention to the issue of the safety of their products and quickly eliminate the risks. "I would like to wish other web application developers to keep the same course in their relations with information security researchers."
II place was taken by a participant with the pseudonym insa, who discovered a small typo in the code of the Proactive Defense filter.
The third place for the enthusiasm in the competition was taken by the participant ParanoidChaos.
Prizes for second and third place - licenses for the product "1C-Bitrix: Site Management" (edition of "Standard").
As Marcel already said, the identified Proactive Defense bypass features have been taken into account and the corresponding changes have been made to the Web Application Firewall filter. We closed the method by which the winner used the features of IE and an update to the filter was already received in the SiteUpdate update system.
I’ll give another comment by Dmitry Evteev, an information security expert at the consulting and audit department of Positive Technologies: “One of the developers of the w3af web application security scanner, who, together with other participants, tried to attack, was present at the SS. Many of the WAF filter bypass contestants worked almost continuously! The contest conducted excellent stress testing of both proactive defense with WAF and the entire 1C-Bitrix platform. The results of the competition are expected and coincide with those obtained during the certification of the proactive defense module. We assumed that participants would be able to demonstrate the exploitation of the Cross-Site Scripting vulnerability, since the complete blocking of this type of attack leads to a large number of false positives. Nobody managed to exploit critical vulnerabilities. ”
I believe that we coped with a difficult task very well! I think that we will continue to make efforts in the direction of security. Perhaps we will take part in this or similar international competitions to test the product and ourselves in the future.
I take this opportunity to draw the attention of developers to the fact that despite our optimism, Proactive Defense does not shield the head. You should still try to write secure applications, think about the solutions you create. And just like the exchange rate stability systems in cars, Proactive Defense does not guarantee avoidance of a collision with a tree, it is only an effective tool to help you in your daily work. Good luck everyone!
A couple more photos from the festival. But strange, there were few of them on the network and almost all without faces.