It's been really a long time ago that the
Everyone would agree that this sort of software exams make it possible to identify and get rid of a number of system code blunders and weak spots. These measures do prevent unwanted system break downs in advance, just like a car crash test in the automobile industry performed to detect whether a vehicle is safe for people or not.
The Bitrix’s Russian Representation Office and the "Positive Technologies" team organized a competition at the "
The competition was supposed to show how the Proactive Protection security system shield works in action. Also, the hack competition was organized to gain more examples for analyzing common mistakes made by site developers that may occur during a web site creation and customization process.
25.000 attacks on Bitrix carried out by more than 600 hackers
There were more than 600 competitors trying to evade the Proactive Protection security filter (
The IT security experts say the level of technical knowledge was high
The competition results have been judged and evaluated by a group of web security experts both from Bitrix and Positive Technologies teams.
"We’ve been increasing the level of protection measures during the competition as we’d noticed that the participants had really been active in hacking down the Proactive Protection security module. The only efficacious method has been discovered by a really professional IT specialist who could use some of the Internet Explorer drawbacks and turn them into a tool to evade the Bitrix protection. This technique is actually able not only to avoid our WAF security filter, but also the security filters of all other professional software products. We’ve proved that the Bitrix security mechanism could withstand severe conditions. These competition test results were used in modifying our software products, thus giving our customers even a greater level of security. We will keep making researches in the IT security field which will allow us to strengthen our software products more and more" said Marcel Nizaque, Bitrix, Inc. IT security specialist.
Dmitry Evteyev, Positive Technologies IT security expert, has also said that the competitors have a very high level of technical knowledge: "There had also been spotted a very well-known IT security scanner application developer nicknamed w3af who was trying to attack the Bitrix system alongside with the other competitors. Some of the competitors had been trying restlessly to bring down the WAF filter security during the two days of competition, attacking it really none-stop! The competition tasks have given us a great chance to test the WAF protection mechanisms, as well as the Bitrix platform.
The competition results have turned out to be the same as it was actually described during the Proactive Protection module certification process. We’ve let the competitors to try to find out some vulnerable spots in the Cross-Site Scripting, because if we’d fully blocked this type of attacks it would have led to a large number of false detection alerts. Nevertheless, all life-threatening attacks have been prevented by the software security modules."
The Winners of the Bitrix Real-time WAF Hack Competition
Vladimir Vorontsov, nicknamed d0znp, IT security expert, was the first to figure out a most sophisticated and peculiar method of evading the Proactive Protection filter that was possible exclusively within the Internet Explorer browser environment due to its shortcomings. Vladimir got a brand new HTC smart phone.
Vladimir is quite an experienced developer of software application security tools, he is the author of many IT security articles in a number of magazines, he is also one of moderators of the onsec.ru project. The winner commented the following on the competition concept: "It’s really great that the developers pay so much attention to their software security issues thus protecting their software users against all future risks. I'd recommend all other web application developers to use the same IT security analysis measures in advance."
The second and the third place shared the competitors nicknamed insa and ParanoidChaos. insa has found a misprint in the Proactive Protection module source code, and ParanoidChaos was spotted out for their enthusiasm and zealousness during the competition. Both competitors were granted a license for a Bitrix Site Manager product.
The Bitrix Proactive Protection updates are already available
The results of the hack competition have given the Bitrix team a great opportunity to re-confirm all vulnerable spots and methods of possible evasion of the Proactive Protection security mechanism, this new data has also been used for modifying the WAF / Web Application Firewall Plus. The Proactive Protection security system has been revised right after the competition and now the free updates are already available for the Bitrix customers and partners through the
See also our official