Join the CTF competition for the Airlock Gateway now.
Airlock® protects more than 30,000 business-critical web applications and APIs from attacks and unwanted visitors worldwide. One of the components, called Airlock Gateway, serves as Web Application and API Protection (WAAP). It acts as a reverse proxy and blocks any malicious requests like cross-site-scripting (XSS) attacks. Through this bug bounty programme, the security features of Airlock Gateway are put to the test.
This programme differs from others in the sense that it is set up like a capture-the-flag (CTF) competition. The goal is to bypass the security features of Airlock Gateway. The implementation details of web applications and their related vulnerabilities are provided so that it would be trivial to exploit them without a web application firewall (WAF).
Below is an example of a XSS filter evasion attack.
Let’s assume a web application has an XSS vulnerability, where you can modify the INJECTION placeholder:
Hackers, who are able to execute the alert() function, will be rewarded with several hundred dollars for every unique idea on how to bypass the WAF filters.
In these challenges, Airlock Gateway is placed in front of multiple web applications and APIs that contain known vulnerabilities, such as XSS vulnerabilities. The goal is to exploit these vulnerabilities despite the application protection, thereby ensuring that Airlock Gateway does not block all attacks.
The security filters of Airlock Gateway are configured in the same way as if they would be used in a normal production deployment – no paranoia mode.
What we are looking for:
- You are interested in participating in a CTF-style bug bounty programme
- You want to practice your skills on a web application firewall and become an expert in obscuring, escaping and bypassing rules
- You are a WAF or penetration testing expert
The security of our customers’ systems has always been our top priority — and we need you to keep it at top level.
What you will get from us:
- Well-paid bounties in a CTF style (one code escape can lead to multiple bounties)
- The programme provides access to the web applications implementation, so it would be trivial to exploit them without a WAF
- Possibilities for bypasses are endless
- A constructive dialogue, fair rules and a legal safe harbor
Key areas of focus include:
- SQL Injection
- Cross-Site Scripting (XSS) Unquoted Context
- Cross-Site Scripting (XSS) HTML Context
- Cross-Site Scripting (XSS) Quoted Context
- PHP injection
- Cookie Manipulation
- NoSQL Injection
- Non-compliant API Usage
- UNIX Command Injection
- OS Path Injection
This is an invite-only programme for selected hackers. We are committed to working closely with qualified security researchers to ensure our products are meet the highest security standarts.
Airlock® is a security innovation by Ergon Informatik AG