Crash test for CMS
The idea of creating a Proactive Defense module (Web Application Firewall) came to mind a long time ago. But it was possible to implement it only in version 8.0 this spring. And immediately there were ideas, but not whether to check the protection system and not to arrange an open competition.
Many have asked me - why do we need it? To which I can only answer that the goal of the entire protection system and the entire competition is to make our product better, to give more confidence to customers and developers. And this can be done only in practice.
For some reason, the analogy with cars comes to mind. In the first cars did not think about the safety of the driver and passengers. Then came passive safety systems, i.e. who defended people at the time of the accident. This is for example airbags in the car. And already as the next step - active protection systems appeared - ABS, ESP, EBD, etc. These systems already help the driver to avoid an accident, they taxi up for him, take him out of the skid, save his life ...
It turns out that we are using the Proactive Defense system to help avoid problematic situations even in cases where the situation was not under control. But as in cars, you can only check the reliability of systems by arranging a crash test .
')
And the opportunity turned up. On the last weekend in St. Petersburg, a hacker festival was held (this is the name) Chaos Construction 2009.
Together with the company Positive Technologies , our long-time partners, we organized a contest, the participants of which needed to be able to bypass the site’s “Proactive Defense” system and take advantage of pre-prepared vulnerabilities of various types.
Those. we deliberately created a site with four pages on each of which created different types of vulnerabilities: SQL-Injection, Cross-Site Scripting (XSS), Path Traversal and Local File Including.
After that, we turned on our Web Application Firewall, which is included in the product since version 8.0 and, if I may say so, screened the error pages.
Such a test repeats the situation of errors made by web developers during the creation of the site, and verifies that they were successfully screened by the protection system.
We all wanted to know the result of the test and understand whether it will be possible for someone to find a workaround and how much it will be difficult.
Within two days the server was available for the contestants. More than 25,000 attacks were registered and repulsed. The competition was attended by hackers who attended the CC9 festival and worked with the site via the Internet. In total, about 600 people participated in the competition.
With Marcel Nizamutdinov, our information security specialist, we discussed the course of the competition. I will give the comment that Marcel gave:
“During the entire competition, we observed from the side how actively the participants tried to circumvent the“ Proactive Defense ”, gradually increasing the complexity of the options. The only and unique workaround was found by a highly qualified specialist who managed to exploit the flaws of Internet Explorer. The option offered by him bypassed not only our WAF, but also all filters of other professional developers known to us. More precisely, our already does not pass :) I am very pleased with the results of the competition. We were able to test the “Proactive Defense” system in very difficult conditions. According to the results of the competition, we improved the product algorithms and provided a greater level of security for our customers. We will continue to study information security issues and improve the product security system. ”
Indeed, according to the results of the competition, we have issued 3 prizes.
I place was taken by Vladimir Vorontsov (pseudonym d0znp). He was the first to find a complex and interesting way to bypass the “Proactive Defense” filter, which works exclusively in Internet Explorer and uses its shortcomings.
As I was commented by colleagues from Positive Technologies, Vladimir Vorontsov is an expert in information security, professionally engaged in analyzing the security of Web applications, the author of numerous articles in various topical magazines on information security, supports the onsec.ru project.
The prize for the first place is the communicator HTC T4242 Cruise Touch II. The prize is given to the winner personally in our Moscow office. The winner refused to be photographed for reasons known to him.
He himself commented on the contest in the following way: “It is pleasant that developers pay such attention to the issue of the safety of their products and promptly eliminate risks. I would like to wish other web application developers to follow the same course in relations with information security researchers. ”
The second place was taken by the participant with the pseudonym insa, who discovered a small typo in the code of the “Proactive Defense” filter.
III place for the enthusiasm in the competition took the participant ParanoidChaos.
Prizes for the second and third place - licenses for the product "1C-Bitrix: Site Management" (edited by "Standard").
As Marcel already said, the detected bypass capabilities of Proactive Defense are taken into account and the corresponding changes have been made to the Web Application Firewall filter. We have closed the method by which the winner used IE features and the update to the filter has already been submitted to the SiteUpdate update system.
I will give another comment, Dmitry Evteev, an expert on information security of the consulting and auditing department of Positive Technologies: “One of the developers of the web application security scanner w3af was present at the SS, who, together with other participants, tried to launch an attack. Many of the participants in the competition to bypass the WAF filter worked almost continuously! The competition conducted an excellent stress testing of both proactive defense from WAF, and the entire platform 1C-Bitrix. The results of the competition are expected and coincide with those obtained during the certification of the proactive protection module. We assumed that participants would be able to demonstrate the exploitation of the Cross-Site Scripting vulnerability, since completely blocking this type of attack leads to a large number of false positives. Critical vulnerabilities could not be used by anyone. ”
I believe that we have coped with a difficult task very well! I think that we will continue to make efforts towards security. We may take part in this or similar international competitions to test the product and yourself in the future.
Taking this opportunity, I will also draw the attention of the developers to the fact that despite our optimism, Proactive Defense does not shield the head. You should still try to write secure applications, think about the solutions you create. And just like the stability control system in cars, Proactive Defense does not guarantee avoiding collision with a tree, it is only an effective tool to help you in your daily work. Good luck everyone!
Another couple of photos from the festival. But strangely, they turned out to be few in the network and almost without faces.
Many have asked me - why do we need it? To which I can only answer that the goal of the entire protection system and the entire competition is to make our product better, to give more confidence to customers and developers. And this can be done only in practice.
For some reason, the analogy with cars comes to mind. In the first cars did not think about the safety of the driver and passengers. Then came passive safety systems, i.e. who defended people at the time of the accident. This is for example airbags in the car. And already as the next step - active protection systems appeared - ABS, ESP, EBD, etc. These systems already help the driver to avoid an accident, they taxi up for him, take him out of the skid, save his life ...
It turns out that we are using the Proactive Defense system to help avoid problematic situations even in cases where the situation was not under control. But as in cars, you can only check the reliability of systems by arranging a crash test .
')
And the opportunity turned up. On the last weekend in St. Petersburg, a hacker festival was held (this is the name) Chaos Construction 2009.
Together with the company Positive Technologies , our long-time partners, we organized a contest, the participants of which needed to be able to bypass the site’s “Proactive Defense” system and take advantage of pre-prepared vulnerabilities of various types.
Those. we deliberately created a site with four pages on each of which created different types of vulnerabilities: SQL-Injection, Cross-Site Scripting (XSS), Path Traversal and Local File Including.
After that, we turned on our Web Application Firewall, which is included in the product since version 8.0 and, if I may say so, screened the error pages.
Such a test repeats the situation of errors made by web developers during the creation of the site, and verifies that they were successfully screened by the protection system.
We all wanted to know the result of the test and understand whether it will be possible for someone to find a workaround and how much it will be difficult.
Within two days the server was available for the contestants. More than 25,000 attacks were registered and repulsed. The competition was attended by hackers who attended the CC9 festival and worked with the site via the Internet. In total, about 600 people participated in the competition.
With Marcel Nizamutdinov, our information security specialist, we discussed the course of the competition. I will give the comment that Marcel gave:
“During the entire competition, we observed from the side how actively the participants tried to circumvent the“ Proactive Defense ”, gradually increasing the complexity of the options. The only and unique workaround was found by a highly qualified specialist who managed to exploit the flaws of Internet Explorer. The option offered by him bypassed not only our WAF, but also all filters of other professional developers known to us. More precisely, our already does not pass :) I am very pleased with the results of the competition. We were able to test the “Proactive Defense” system in very difficult conditions. According to the results of the competition, we improved the product algorithms and provided a greater level of security for our customers. We will continue to study information security issues and improve the product security system. ”
Indeed, according to the results of the competition, we have issued 3 prizes.
I place was taken by Vladimir Vorontsov (pseudonym d0znp). He was the first to find a complex and interesting way to bypass the “Proactive Defense” filter, which works exclusively in Internet Explorer and uses its shortcomings.
As I was commented by colleagues from Positive Technologies, Vladimir Vorontsov is an expert in information security, professionally engaged in analyzing the security of Web applications, the author of numerous articles in various topical magazines on information security, supports the onsec.ru project.
The prize for the first place is the communicator HTC T4242 Cruise Touch II. The prize is given to the winner personally in our Moscow office. The winner refused to be photographed for reasons known to him.
He himself commented on the contest in the following way: “It is pleasant that developers pay such attention to the issue of the safety of their products and promptly eliminate risks. I would like to wish other web application developers to follow the same course in relations with information security researchers. ”
The second place was taken by the participant with the pseudonym insa, who discovered a small typo in the code of the “Proactive Defense” filter.
III place for the enthusiasm in the competition took the participant ParanoidChaos.
Prizes for the second and third place - licenses for the product "1C-Bitrix: Site Management" (edited by "Standard").
As Marcel already said, the detected bypass capabilities of Proactive Defense are taken into account and the corresponding changes have been made to the Web Application Firewall filter. We have closed the method by which the winner used IE features and the update to the filter has already been submitted to the SiteUpdate update system.
I will give another comment, Dmitry Evteev, an expert on information security of the consulting and auditing department of Positive Technologies: “One of the developers of the web application security scanner w3af was present at the SS, who, together with other participants, tried to launch an attack. Many of the participants in the competition to bypass the WAF filter worked almost continuously! The competition conducted an excellent stress testing of both proactive defense from WAF, and the entire platform 1C-Bitrix. The results of the competition are expected and coincide with those obtained during the certification of the proactive protection module. We assumed that participants would be able to demonstrate the exploitation of the Cross-Site Scripting vulnerability, since completely blocking this type of attack leads to a large number of false positives. Critical vulnerabilities could not be used by anyone. ”
I believe that we have coped with a difficult task very well! I think that we will continue to make efforts towards security. We may take part in this or similar international competitions to test the product and yourself in the future.
Taking this opportunity, I will also draw the attention of the developers to the fact that despite our optimism, Proactive Defense does not shield the head. You should still try to write secure applications, think about the solutions you create. And just like the stability control system in cars, Proactive Defense does not guarantee avoiding collision with a tree, it is only an effective tool to help you in your daily work. Good luck everyone!
Another couple of photos from the festival. But strangely, they turned out to be few in the network and almost without faces.
Source: https://habr.com/ru/post/68549/
All Articles