PHPIDS » Web Application Security 2.0

PHPIDS 0.2.3 is out – and brings several important improvements. We worked on the filter rules and addted detection for mail header injections, enhanced the nullbyte and control char detection and worked on some of the SQL injection rules.

Also the compatibility is enhanced – the PHPIDS now works with libxml prior version 2.6.21 – thanks to Greg and Markus Bierau.

Great improvements have been done to the Converter – now the PHPIDS is able to detect charcode – even if encoded octal, hexadecimal and obfustcated by basic arithemtic operators – thanks to Kishor.

As promised there were no API changes so there should be no problems updating the PHPIDS. The PHPIDS team hopes you’ll have fun with this release and currently plans on what to implement in 0.2.4 and the next big milestone 0.3.0. – one major improvement in 0.2.4 will concern the logging facility, which presently is not that userfriendly and pretty ineffective.

Just a quick note to announce the release of .NETIDS v.0.1.1.0 – a small update that adds some valuable features:

• Fixed bug of empty Report.Tags object
• Added options to SecurePage to disable each type of scanning
• Updated filters

Most significantly this means that you can control whether page Output Scanning is performed from a SecurePage derived page. For those who are unaware, SecurePage is the simplest inbuilt way of scanning a page in .NETIDS. Simply inherit your page from SecurePage:

public partial class _Default : DOTNETIDS.SecurePage {

and add the method

public override void IDSEventHandler(DOTNETIDS.Report report, DOTNETIDS.SecurePage SecurePage)

This will ensure that your page is scanned in a secure-by-default fashion and also gives the option to disable each type of scan and add exclusions.

The latest package is available at the dotnetids homepage: http://code.google.com/p/dotnetids/

We are currently working on PHPIDS 0.2.3 which will be a pure feature release. We mostly optimized the algorithm to detect encoded payload. The PHPIDS will be able to correctly detect payload with decimal, octal and hexadecimal encoding – check out the demo-links below to preview this feature:

Javascript charcode injection

Octal charcode injection

Hexadecimal charcode injection

Also we optimized the rules again, added detection for mail header injections, the firefoxurl code execution attack and removed dozens of false alerts. We expect the release to happen around Wednesday – stay tuned!

The last piece of our database disaster is fixed now: our Trac installation is back again. Happy bugreporting!

After much testing/tweaking the first release of .NETIDS is upon us!

Featured in this release:

• automatic String.fromCharcode conversion and detection
• new and optimized filter rules
• improved halfwidth/fullwidth encoding detection
• enhanced UTF7 converter
• enhanced nullbyte detection
• page output/fragmented XSS scanning

Project home: .NETIDS

Binary: http://dotnetids.googlecode.com/files/dotnetids-src-0_1_0_0.zip
Source: http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_0_0.zip
Documentation: http://www.the-mice.co.uk/dotnetids/docs/
Forum: http://forum.php-ids.org/?CategoryID=9

Many thanks to all who made this possible!

We’re proud to announce the current release of the PHPIDS.

PHPIDS 0.2.2 has many new features and comes with increased detection mechanisms and better performance. The most important alterations are:

• no usage of iconv/multibyte anymore (better compatibility)
• automatic String.fromCharcode conversion and detection
• new and optimized filter rules
• improved halfwidth/fullwidth encoding detection
• enhanced UTF7 converter
• enhanced nullbyte detection
• big performance increases

The API hasn’t changed so there shouldn’t be any problems upgrading from 0.2.0 or 0.2.1. If you have further questions don’t hesitate to needle us in the forum.

Just a quick note to say that some additional functionality has been bundled in before the (impending) release of .NETIDS 0.1: page output detection. This adds an entirely new dimension to the detection of threats as now both input and output can be monitored for unexpected malicious strings.

The whole thing is explained in more detail here, but in the mean time check out these SmokeTests:

Test1

Test2

As always please let us know if you manage to either bypass detection or trigger a false positive!

We (we as in schokokeks.org) offered PHPIDS our infrastructure to host their web applications for free on one of our servers. The server the PHPIDS stuff is located was treated a bit too ignorant by us, e.g. we did not really ensure a working backup and our database configuration system was horribly broken by me (which crashed the tables). Talking about security on the one hand and doing such huge mistakes on the other hand must seem a bit devious for you. And the sad thing is, you are right. I am really sorry for that inconvinience, the issues which broke the setup are fixed now will never happen again. Fingers crossed.

Firefox’s handling of comment tags is a fickle business as has been seen by the recent emergence of a fragmented XSS vulnerability when injection into comments is allowed. Suffice it to say that PHPIDS (and .NETIDS) is already able to detect this attack in several forms. Firstly, any injection of malicious script tags/attributes will be picked up by the IDS and secondly the filter set is capapble of detecting comments that have text between the opening and closing tags: <!so– there is no luck –evading> our filters like this! Full details of the vulnerability can be found at Switch/Twitch.

After some serious server issues we’re slowly coming back and refilling the page with content. Due to a unrecoverable database crash we lost the data of about 48 hours – not catastrophic but very displeasing.

We are currently working on bringing the forum back – you can already use the downloads page and the demo .

Please excuse the inconvenience,

Regards,
the PHPIDS Team