$10k hacking contest announced

Hacking ContestIsraeli software developer Gizmox is challenging hackers to try hacking into the company’s Visual WebGui Platform, by offering a $10,000 incentive to those who manage to achieve the objectives of their contest launched at the beginning of the month. What’s particularly interesting about the contest is the fact that the company is running the contest as an investigation into the identity of their secret agent, the data for whom resides on their unhackable platform.

Nothing’s unhackable, the unhackable just takes a little longer.

“Gizmox, the developer of Visual WebGui open source platform, today announced a contest, sponsored by the Company, which will pay $10,000 to anyone who can hack into its Visual WebGui Platform. The Contest will take the shape of an investigation into the identity of a secret agent. The goal of the contest is to uncover the true identity of their secret agent, code named OWL. The Contest will feature a flash movie presented within the Visual WebGui application that will contain the data necessary to uncovering the identity of the OWL. Participants will be required to provide a reproducible pathway into the Visual WebGui Pipeline (without having to penetrate any non Visual WebGui Peripherals) in order to claim the prize. The contest will begin on November 3rd and end January 30th, Participants must register to receive login information and contest details.”

Registration is open to everyone, here are some of the highlights of what is considered acceptable hacking of the company’s framework :

“- The game assumes that the database is safe and cannot be penetrated to; hacking the database in any level will not qualify. In addition gaining a more powerful username and password is only valid if done through Visual WebGui path and will not be a valid winner in any other case.
- Assume in general, that any peripheral system and software is safe and cannot be penetrated through; in general a non-Visual WebGui layer hack-through will not be considered a win.
- Hacking through the Visual WebGui pipeline only is acceptable, meaning that using the VWG AJAX messages will qualify for winning the award.
- Manipulating any client code (JS, XSLT, XML, HTML and any client resource) is permitted, in order to try and shift the system from its original security behavior.
- Using any side effects or consequences of Visual WebGui code in runtime in order to hack the system is allowed, as long as the actual hack will use those side effects and consequences in order to manipulate the original server security behavior and not to penetrate any other software or infrastructure.”

Gizmox Hacking ContestOffering financial incentives in the form of hacking contests or bug bounties are nothing new. For instance, in 2000 PacketStormSecurity offered $10k reward for the winner in their “Protecting Against the Unknown” whitepaper contest, with another $10k offered by iDefense for a critical Microsoft vulnerability in 2006, followed by the most recent PWN 2 OWN $10k reward this year.

Gizmox’s contest is different in that it’s indirectly advertising the “unhackability” of its products compared to enticing research into the products of other companies. Whatever their motivation, the contest is worth the try, especially when their AJAX/Silverlight Web Applications Framework can be “examined” for free.

[Source: zdnet]