Start now free!

Bitrix Real-Time Hack Competition in Russia

Take advantage of XMas Discounts & Specials: Bitrix24 Cloud with 1TB online storage and Bitrix24 Self-Hosted with up to 50% discount on bundled purchases! Learn more Check out our Thanksgiving Specials: all Bitrix24 Intranet 30% Off, all Bitrix Site Manager 20% off until November 29, 2013. Learn more Because of the upcoming Winter Holidays, we will be offering a limited HelpDesk support to our commercial and non-commercial clients from roughly December 24, 2013, until January 8, 2014. Only urgent cases will be dealt with during the Winter Holidays. Other support tickets will either be put on pending or closed, allowing you to reopen them next year.

Bitrix Real-Time Hack Competition in Russia

Hack Competition idea was based on the car crash test concept

It's been really a long time ago that the Bitrix, Inc. team had been planning to create a Proactive Protection module. As soon as it was developed and implemented in the Bitrix Site Manager v8.0 product, the Bitrix developers and IT security experts have come up with an idea of testing the system module by the harshest means ever possible – let the Russian hackers try to bring down the security system. The Bitrix team has a reasonable argument to support this idea: every software module or parameter can only be tested by practical implementation and in a real-like environment.

Everyone would agree that this sort of software exams make it possible to identify and get rid of a number of system code blunders and weak spots. These measures do prevent unwanted system break downs in advance, just like a car crash test in the automobile industry performed to detect whether a vehicle is safe for people or not.

The Bitrix’s Russian Representation Office and the "Positive Technologies" team organized a competition at the "Chaos Constructions CC9" computer technologies festival whose participants were supposed to evade the Bitrix Proactive Protection security system. The security system mechanism was modified in advance, thogh, just to be a bit more "vulnerable". The Festival took place on 29-30 August 2009 in Saint Petersburg, Russia.

The competition was supposed to show how the Proactive Protection security system shield works in action. Also, the hack competition was organized to gain more examples for analyzing common mistakes made by site developers that may occur during a web site creation and customization process.

25.000 attacks on Bitrix carried out by more than 600 hackers

There were more than 600 competitors trying to evade the Proactive Protection security filter (WAF / Web Application Firewall Plus) and to find out the all made-in-advance vulnerabilities (e.g. SQL-Injection, Cross-Site Scripting, Path Traversal and Local File Including). There had been more than 25.000 attacks recorded and effectively repulsed during the two days of the Festival. Actually not only the Festival participants could take part in this hack competition, but also anyone who had Internet access from the outside.

The IT security experts say the level of technical knowledge was high

The competition results have been judged and evaluated by a group of web security experts both from Bitrix and Positive Technologies teams.

"We’ve been increasing the level of protection measures during the competition as we’d noticed that the participants had really been active in hacking down the Proactive Protection security module. The only efficacious method has been discovered by a really professional IT specialist who could use some of the Internet Explorer drawbacks and turn them into a tool to evade the Bitrix protection. This technique is actually able not only to avoid our WAF security filter, but also the security filters of all other professional software products. We’ve proved that the Bitrix security mechanism could withstand severe conditions. These competition test results were used in modifying our software products, thus giving our customers even a greater level of security. We will keep making researches in the IT security field which will allow us to strengthen our software products more and more" said Marcel Nizaque, Bitrix, Inc. IT security specialist.

Dmitry Evteyev, Positive Technologies IT security expert, has also said that the competitors have a very high level of technical knowledge: "There had also been spotted a very well-known IT security scanner application developer nicknamed w3af who was trying to attack the Bitrix system alongside with the other competitors. Some of the competitors had been trying restlessly to bring down the WAF filter security during the two days of competition, attacking it really none-stop! The competition tasks have given us a great chance to test the WAF protection mechanisms, as well as the Bitrix platform.

The competition results have turned out to be the same as it was actually described during the Proactive Protection module certification process. We’ve let the competitors to try to find out some vulnerable spots in the Cross-Site Scripting, because if we’d fully blocked this type of attacks it would have led to a large number of false detection alerts. Nevertheless, all life-threatening attacks have been prevented by the software security modules."

The Winners of the Bitrix Real-time WAF Hack Competition

Vladimir Vorontsov, nicknamed d0znp, IT security expert, was the first to figure out a most sophisticated and peculiar method of evading the Proactive Protection filter that was possible exclusively within the Internet Explorer browser environment due to its shortcomings. Vladimir got a brand new HTC smart phone.

Vladimir is quite an experienced developer of software application security tools, he is the author of many IT security articles in a number of magazines, he is also one of moderators of the project. The winner commented the following on the competition concept: "It’s really great that the developers pay so much attention to their software security issues thus protecting their software users against all future risks. I'd recommend all other web application developers to use the same IT security analysis measures in advance."

The second and the third place shared the competitors nicknamed insa and ParanoidChaos. insa has found a misprint in the Proactive Protection module source code, and ParanoidChaos was spotted out for their enthusiasm and zealousness during the competition. Both competitors were granted a license for a Bitrix Site Manager product.

The Bitrix Proactive Protection updates are already available

The results of the hack competition have given the Bitrix team a great opportunity to re-confirm all vulnerable spots and methods of possible evasion of the Proactive Protection security mechanism, this new data has also been used for modifying the WAF / Web Application Firewall Plus. The Proactive Protection security system has been revised right after the competition and now the free updates are already available for the Bitrix customers and partners through the SiteUpdate system. The Bitrix team continues to develop and modify all the Bitrix products to reach even higher levels of security and reliability for the benefits of its customers and partners. We will keep doing our best to make your web environment secure and protected!

See also our official news item!