PRESS RELEASE: Nuit du Hack 2017: Why we love Bug Bounties at DenyAll

For the second time, DenyAll participated in the « Nuit du Hack » event held in Paris on June 24-25.  This time again, DenyAll opened a Bug Bounty, exposing 4 vulnerable websites and APIs to 2,500 white hat hackers who tried to bypass the protections provided by DenyAll’s Web Application Firewalls and Web Services Firewalls. The data that was gathered will be analyzed to help DenyAll strengthen its application security engines.

DenyAll participated for the second time in “La Nuit du Hack”, run by HackerzVoice and YesWeHack teams. During the Bug Bounty, DenyAll’s WAFs received approximately 600,000 requests in a few hours, combining vulnerability scanners, fuzzing techniques and manual tricks to evade the security provided by DenyAll’s products.

The number of requests was really high, demonstrating DenyAll’s ability to scale and deliver 100% availability and low latency, using Amazon’s cloud infrastructure (AWS) and the pre-packaged images of its WAF available on the AWS marketplace.

More than 100GB of logs were captured and will be replayed to further improve the efficiency of DenyAll’s security engines. Among the 600,000 requests processed by the WAFs, less than 20 valid “bugs” have been recorded and awarded for discovering these attack vectors, in accordance with the confidentiality and professionalism objectives set by the organizers.

Protecting Web Services and APIs

The setup was based on four applications designed to expose all usual attack techniques, like SQL Injection, cross-site scripting and so on:

  • Damn Vulnerable Web Application (DVWA), a PHP/MySQL web application that is full of security holes, used by security professionals to test their skills and tools in a legal environment. Protected by DenyAll Web Application Firewall.
  • Hackazon website, a vulnerable test site that is an online storefront built with the same technologies used in today’s rich client interfaces. Hackazon has an AJAX interface, strict workflows. Protected by DenyAll Web Application Firewall.
  • Hackazon mobile application and API, an e-commerce mobile application coupled with a RESTful API. Protected by DenyAll Web Services Firewall.
  • Damn Vulnerable Web Services (DVWS), a set of vulnerable APIs (both SOAP and REST) that can be used to learn real world web service vulnerabilities. Protected by DenyAll Web Services Firewall.

The exercise demonstrated the ability of DenyAll to secure Web Services and APIs. « Whether we see them or not, APIs are a crucial part of business today » says Vincent Maury, DenyAll’s CTO. « Application programming interfaces are used every day by IT and DevOps teams to drive B2B transactions, application automation and all sorts of processes relying on SOAP & REST traffic. Businesses are relying on APIs more than ever, and that creates new potential vectors for attackers ».

This trend is underlined in the new version of Open Web Application Security Project (OWASP) released in 2017. Indeed, two new areas of insecurity were added to the list of Top 10 application vulnerabilities, named A7 and A10 for « Insufficient Attack Protection » and « Under-protected APIs ». API is the new black, that’s why DenyAll is investing in new security engines to protect business that are both application and API aware.

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.