Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Sanitation Class
Date: May 06, 2007 02:25PM

Demo: www.crypticmauler.com/sanitizedemo/

It auto sanitizes $_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER and some other stuff like alias functions for file_get_contents() etc by converting any character not [a-zA-Z\d_.,] into equivalent HTML entity. Even supports Unicode. File is included before any user input is used on page, Feel free to get stuff by it, Comments welcome.



Edited 2 time(s). Last edit at 05/06/2007 03:27PM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: Sanitation Class
Posted by: Anonymous User
Date: May 06, 2007 03:40PM

As far as i can see backticks aren't properly escaped - could lead to a problem in IE6 / IE7.

On the other hand - i cant even get UTF7 working - nice job ;)

Greetings,
.mario

Options: ReplyQuote
Re: Sanitation Class
Date: May 06, 2007 03:43PM

backticks should become ` if that isn't happening what vector did you use? Btw post attack not full URL, don't want search engines indexing page that I will take down, happened with the Jikto source, spiders still come by looking for it.



Edited 1 time(s). Last edit at 05/06/2007 03:46PM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: Sanitation Class
Posted by: Anonymous User
Date: May 06, 2007 03:48PM

damn - i'd better twice checked this. on the source view on my IE6 via VM the backticks were unescaped/unsanitzed...

good jawb!

Options: ReplyQuote
Re: Sanitation Class
Date: May 06, 2007 03:53PM

This class is part of a security package I've been working on which has the following classes: Error (error control), Validate (input validation), IDS (obvious what it will do), Sanitize (the demo posted), Ban, Privacy (privacy controls), Log (logs security events and user activity), and last Session (session control) So far I'm around 10% done with the project.

The IDS package is all done just needs the regular expressions which I am hoping to use your PHP IDS's rules once the its been tested more. Full credit for the regexs will be given of course =oP

Options: ReplyQuote
Re: Sanitation Class
Date: May 06, 2007 04:10PM

Changed demo page to include attribute injection with single, double and no quotes and included also a <script> injection.

Options: ReplyQuote
Re: Sanitation Class
Posted by: Anonymous User
Date: May 07, 2007 01:43AM

"I am hoping to use your PHP IDS's rules once the its been tested more. Full credit for the regexs will be given of course =oP"

No probs for me.

Will do some more tests on the demo page when i find the time - all in all very promising approach!

Greetings,
.mario

Options: ReplyQuote
Re: Sanitation Class
Posted by: rsnake
Date: May 08, 2007 08:03PM

Very cool stuff! I'm looking forward to all this IDS stuff hitting the main-stream and actually getting packaged up into some of the bigger open sourced packages once they get out of beta! Nice work guys on all of this stuff. I know I haven't commented on it yet - but only because I've been so stupidly busy the last few weeks.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.