PHPIDS » Web Application Security 2.0

I’m proud to announce that WPIDS v0.1 is now officially available – please don’t feel confused by the version jump from 1.x down to 0.1- you’re grabbing the freshest sources with this release.

It took some time since the last public release, but we added a lot of useful things. For example the parameters flowing in the back end are no longer monitored so your website stays operable. Furthermore we added some really nice checks against known Intrusion attempts against Wordpress. PHPIDS 0.4.3 has been integrated directly after its release too. A even newer version is already on the way to come which will use the HTMLPurifier to keep care of the comments and the content field.

So don’t wait and get your copy of WPIDS – you can download it here.

At last I want to thank Gareth and Mario for their valuable input for this project.

Today we proudly release PHPIDS 0.4.3. This time we invested all spare time we had the last weeks on enhancing the converter and the rules. That means way better intrusion detection and even fewer false alerts then with the last release.

Thanks to the great help from Johannes Dahse we managed to tweak the rules to catch way more SQL Injections – especially the super short ones for authentication bypass and information disclosure. And – we didn’t believe it ourselves – SirDarckCat and Gareth Heyes even found some new XSS vectors slipping through the rules. We also optimized the converter against several evil Unicode characters and other possibilities to obfuscate payload.

Furthermore we did some more testing and optimization on the PHPIDS centrifuge. After several weeks of high traffic beta testing we agreed to remove the ‘beta’-label from this module too. Be sure to grab the files from here as soon as possible

The coming releases will head straight towards 0.5 – the usability and scalability release. We hope you are looking forward for this one as much as we do – and enjoy PHPIDS 0.4.3.

We recently created a Google source code repository for CSRFx and a CRSFx Google group. This tool provides – besides a name which can’t be pronounced by human tongue – a possibility to protect existing PHP5 based web applications against CSRF attacks.

The tool gives the developer the chance to define request patterns which should be protected against CSRF. Also there’s the possibility to define request patterns which shouldn’t be protected to cover ranges like example.com/admin/whatever.

The implementation process is pretty easy. You just have to create a configuration file for your application (an example file for CakePHP is bundled, more will follow soon), define the request patterns, create the necessary database table, include the files First.php and Last.php via auto_prepend_file/auto_append_file and that’s it. You can of course also use your index.php for inclusion if that’s possible. We are already testing the tool on several live applications – so we can guarantee pretty good stability already.

If you’d like to play with it just grab the sources. Comments, Questions and contributions are heavily appreciated as usual. Have fun!

Today we are talking to Reiners who helped us enhancing the SQL Injection detection rules. Thanks to his outstanding work we were able to identify lots of bugs in the rules and make the PHPIDS a lot better in SQL Injection detection that we ever thought it could be.

Q: Please tell us a little bit about yourself?

My name is Johannes Dahse and I am studying “IT-Security” at the Ruhr University Bochum in Germany. Beside my studies I read a lot about websecurity and experiment with it or I write some codes for smaller projects. I also like to work out, and hang out with friends and grab some beers.

Q: During the last weeks we happened to learn to know you as a top notch SQL Injection expert – how come?

It started with learning PHP and MySQL about 4 years ago. Back then, I was already interested in security in general and did a lot of research. While participating at the last CIPHER (a Capture The Flag-style wargame) I noticed that my SQLi knowledge was a bit rusty and started to do more research on it which leads me to PHP-IDS. I learned a lot during the challenge to trick the filters and had a lot of fun.

Q: XSS vs. SQLI can you compare them? If yes, whose impact is bigger?

That is an interesting question. Generally I would say SQLi is more dangerous because it is a server-side problem and can lead to a full takeover. But it depends on what the attacker wants to do, the DBMS and its settings of course. And there may be a lot of scenarios where XSS as client-side attack is way more effective to reach your goals.
You shouldn’t have one of those holes in your webapp anyway, but I’d rather like to know a XSS hole in my app than a SQLi

Q: WebAppSec in five years – any prognoses?

I think WebAppSec is getting more and more important. The amount of web-applications is growing, however, most of their developers tend to ignore web security. Additionally, many people release their personal information at the internet and therefore, the security for these personal data will play a major role.

Q: Whom would you like to invite for dinner and why

Haha, I can think of a couple of lovely ladies I’d like to meet but I guess you are asking towards webappsec. Well, since I really enjoy reading Ronalds blog (www.0×000000.com) I think it would be really interesting having a chat with him. He has some really interesting posts I’d like to talk more about.

Q: Thanks for the interview!