Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 2 of 31
Re: WebApp IDS
Posted by: Anonymous User
Date: March 19, 2007 03:43AM

@RSnake: That's what i am talking about - you can't generalize which input is allowed and which not - so you have to categorize/tag the filter rules and let them learn. At the monent we are using a configuration array based on the model to tell the filter what ruules have to be applied.

btw. In around one week we are planning to go online with the IDS - I will keep you informed about the results...

Greeting,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: blad3
Date: March 19, 2007 05:02AM

Cool .mario :)
I'm curious about the IDS. Sounds pretty interesting.

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: March 19, 2007 06:27AM

Thanks, blad3.

I am thinking about a google code repositiory - anyone interested?

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: March 19, 2007 08:49AM

Here are the links:

http://code.google.com/p/phpids/
http://groups.google.de/group/php-ids/

Feel free to join!

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: jungsonn
Date: March 19, 2007 09:01AM

@RSnake,

Yeh that might be right, I'm in no position to even think about these browser issues, it's not my job and certainly far from any personal expertise. And I quickly made some false assumptions about it.

It's really harder then I thought it would be. But I can't help get the impression the browser vendors can solve such issues, only not sure how.

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: March 23, 2007 08:49AM

Hi!

I continued woking on the IDS filter the last days and my testing results are pretty sharp meanwhile - this is the current set of rules:

(["|'][\s]*\>) //finds html breaking injections including whitespace attacks

(["|'][\s]*\<) //finds attribute breaking injections including whitespace attacks

(\+A[\w]{2}-) //finds utf7 attacks in general

(&#[\w]+) //detects all entitites including the bizarro IE US-ASCII entitites

(\\[\w]{3}) //detects the IE hex entities

(("|')[\s]*(\)|\})) //finds closing javascript breaker including whitespace attacks

((\(|\{)[\s]*("|')) //finds opening javascript breaker including whitespace attacks

(\.\.\/\.\.) //detects basic directory traversal

(%[0-9a-f]{2}) //detects urlencoded attacks

(=\/\/) //detects protocol relative url inclusions

(ΒΌ\/) //detects US-ASCII HTML breaking code

(@import|;base64|alert\(|Execute\() //detects imported poisoned stylesheets, base64 attacks, vbscript probings and all alerts

(>[\w]=\/) //detects malformed attribute utilizing script includes

((\?\<)|(\)\>)) //detects nullparam and numeric includes

([\w]+[\s]*=[\s]*("|')) //detects possible event handlers

(\<s(.*)t) //detects obfuscated script tags - might throw too much false positives (TEST)

(\<\/[\w]+[\s][\w]+) //detects attributes in closing tags (IE-only issue)

(\<base[\s]+) //detects base href injections

What do you think? Furthermore do you think there is a way to detect SQL injections as precise as possible? I sometimes wonder what the ideal initial probing would look like when coming to SQL injections - what patterns are there besides %item OR 1 = 1 or the UNIQUE queries?

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: rsnake
Date: March 23, 2007 11:39AM

Without going through each and every one of these:

(["|'][\s]*\>) //finds html breaking injections including whitespace attacks

Breakable by: " a >

(["|'][\s]*\<) //finds attribute breaking injections including whitespace attacks

Breakable by: " a <

Regex is hard.

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: March 26, 2007 12:59PM

Hi!

Thanks, good point. I will try how much false positives we get with (["|'].*\>)

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: hackathology
Date: March 27, 2007 11:45AM

wowowo, nice signatures mario, BUT better detection Rsnake.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: March 27, 2007 05:54PM

Thanks, hackathology - next week we are going live with the IDS beta. I am very excited about the first results. Will keep you guys informed...

Greetungs,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: hackathology
Date: March 28, 2007 01:10AM

yep mario, looking forward to it. Let us know ya.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: WebApp IDS
Posted by: christ1an
Date: May 01, 2007 03:22PM

I'd like to inform you about the current state of this project, information are available here:

http://christ1an.blogspot.com/2007/05/php-based-intrusion-detection-system.html

If you have any ideas, feel free to leave a comment.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: WebApp IDS
Posted by: thrill
Date: May 01, 2007 03:45PM

I'm almost inclined to create a beta.secexp.com in order to try to integrate this with my current CMS. So if you guys have any suggestions on how to do this, I'd be happy to test it out.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: WebApp IDS
Posted by: christ1an
Date: May 01, 2007 06:30PM

thrill: A manual will be released along with the final version of IDS in a few days. That will also include examples.

Thanks.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: WebApp IDS
Posted by: thrill
Date: May 01, 2007 06:43PM

Quote

A manual will be released along with the final version of IDS in a few days. That will also include examples.

Cool! I'll look forward to getting it and making it a part of my system.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 02, 2007 02:43AM

Hi thrill - just answered to your comment on christ1an's blog. I will post an example of advanced usage of the PHP IDS later in this thread.

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: WhiteAcid
Date: May 02, 2007 03:17AM

That is awesomely code. I have yet to go through it all, but the only issue I could find so far is that changing ids.php like so:
73c73,78
< 				$this->request	= $request;

---
> 				$this->request	= $request;
> 				if ($tags !== false && !is_array($tags)) {
> 					throw new Exception(
> 						'Tags parameter incorrect.'
> 					);
> 				}

88,92c93,94
< 		public function run() {

< 			foreach ($this->request as $key => $value) {

< 				$this->iterate($key, $value);

< 			}

< 			

---
> 		public function run() {
> 			array_walk($this->request, array($this,'iterate'));

105c107
< 		private function iterate($key, $value) {

---
> 		private function iterate($value, $key) {

Edit: updated diff to include error checking $tags, of course that may just be something silly, up to you.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 05/02/2007 03:40AM by WhiteAcid.

Options: ReplyQuote
Re: WebApp IDS
Posted by: christ1an
Date: May 02, 2007 04:27AM

Thanks WhiteAcid but sorry I don't get what you want to say :/
Could you maybe leave the code away and firstly describe what cought your attention?

Ah and, which version is that? I'm aware of the fact that we have no version handling at the time, thats my fault I'm sorry. You can get the youngest version from here http://phpids.googlecode.com/svn/trunk/

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 02, 2007 04:32AM

Hi!

Well, here are the exapmles:

This first one you should probably know...
http://phpids.googlecode.com/svn/trunk/docs/examples/example.php

The second one is pretty fresh - just finished typing. It is designed to show how to work with the PHPIDS Impact - also it shows how to embed the IDS in framework like CakePHP
http://phpids.googlecode.com/svn/trunk/docs/examples/example_cakephp_component.php

Feel free to ask any questions if sth remains unclear...

Greeetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: WhiteAcid
Date: May 02, 2007 05:44AM

OK. Well... I made two suggestions for change. Firstly I added some error checking to IDS::__construct(), but looking at the code christ1an linked to, this change is totally redundant. Ignore it.

The second suggestion was simply to speed the process up a bit. You weren't using PHP's array_walk where it would be ideal to use it. Making this change would require you to switch the order of the attributes in IDS::iterate(), as I also showed in the diff.

I hope that helps.

Edit: This is why we need an IRC

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 05/02/2007 06:04AM by WhiteAcid.

Options: ReplyQuote
Re: WebApp IDS
Posted by: christ1an
Date: May 02, 2007 06:31AM

You're right, that should be faster. I'm going to check that, thanks!

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 02, 2007 07:25AM

@Whiteacid: "Edit: This is why we need an IRC" Yes!

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 03, 2007 06:16AM

Hi!

I built up a pretty raw but working (I hope so) smoketest for the PHP IDS

http://phpids.heideri.ch/

Feel free to stress it - if you manage to create an XSS or worse please post your results here - you will be credited with honor and fame ;)

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: thrill
Date: May 03, 2007 12:21PM

@.mario

Thanks for the example, and sorry it took me a while to respond. I actually saw your posting and I was in the middle of something else so the posting didn't quite register in my head until this morning. :)

Umm.. that example for the CakePHP was more advanced than what my knowledge is. I was looking for something more in the lines of:

require_once( 'phpids/ids.php' );
require_once( 'phpids/storage.php' );

That, I can handle adding to my index.php file.

What you guys might consider creating is an index.php file in itself that will include some 'default' settings with comments so that users can change that. Then a php dummy like myself would only need one 'require_once' line. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 03, 2007 03:23PM

Hi thrill!

Thanks for you feedback - easy to use version with mentioned index.php will come with the first release version.

If you have any further questions just PM me or post them here or in the PHP IDS Google Group!

Greetings!
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: digi7al64
Date: May 03, 2007 07:50PM

homfg - I RULZ

<body onload='vbscript:msgbox "moo"'

you may pay me in women or gold... or women covered in gold.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: WebApp IDS
Date: May 04, 2007 12:13AM

Isn't

([\w]+[\s]*=[\s]*("|\'))

the same as:

(\w+\s*=\s*["\'])

Working with PHP for years I've come to know that the smaller a regular expression is the faster it gets run. Speed is essential especially when it comes to iterating over arrays or testing large strings. Many of the regular expressions can be optimized for speed and readability.

Options: ReplyQuote
Re: WebApp IDS
Posted by: kishord
Date: May 04, 2007 02:41AM

http://phpids.heideri.ch/?test=%3Ccode%20onmouseover=;document.write(123)%3Eabcdefghijk%3C/code%3E


Need to change [\s]*=[\s]* thing. It can be bypassed using onmouseover=;f();
I.e. a ;

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 04, 2007 03:06AM

Awesome finds, thanks a lot, kishord & digi7al64!

@CrYpTiC_MauleR - yes, for sure. Most of the current rules are kind of working but not optimzed yet. Also thx for the input - will check you pattern and build it in!

Greetings,
.mario

[edit]FIXED - thx again![/edit]



Edited 2 time(s). Last edit at 05/04/2007 03:35AM by .mario.

Options: ReplyQuote
Re: WebApp IDS
Posted by: kishord
Date: May 04, 2007 04:17AM

Are you all right .mario?

http://phpids.heideri.ch/?test=%3Ccode%20onmouseover=;;document.write(123)%3Eabcdefghijk%3C/code%3E

two semicolons! against this filter
rule: (on\w+\s*=.(\w|("|')))

Web Application Security Journ(ey)al

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 2 of 31


Sorry, only registered users may post in this forum.