PHPIDS » Web Application Security 2.0

Again we are very proud to announce: PHPIDS 0.5.2 is officially out after a lot of changes and improvements on the recent version. Most mentionable is a performance tweak discovered by Ingo Bax that might save you over 60% of computing time in certain scenarios – just by having removed the case-insensitivity regex modifier in the detection process and having optimized the rules for this change.

Also we fixed a lot of false alerts – especially when dealing with frameworks that tend to accept serialized arrays and objects as parameters. Xajax is one of those and you should be able to combine the PHPIDS and Xajax without any trouble anymore. Of course those weren’t the only false alerts we fixed – the rules received some major slenderizing. Also Nick Benson from sla.ckers.org helped us to optimize several regular expressions in the rules – especially among the SQL Injection detection rules.

What makes us most happy with this release is the fact that we didn’t have any false negatives during the last weeks – not a single one. So it kind of seems that the project has reached a state that even we considered to be almost impossible.

There are several interesting ports growing – like already mentioned in the last release post and meanwhile we are in good dialog with the ModSecurity team which will definitely help to improve both tools.

So – we wish you a lot of fun with the new release and look forward for your feedback.

This post is just meant to inform you that there is an article on PHPIDS printed in the most recent issue of our German PHP Magazine.

Its content is pretty much oriented on the white paper we published earlier so it won’t tell you anything new unless you haven’t known PHPIDS before and just want to get started with it. For that purpose, this article should be a perfect guideline as it covers all the aspects that are necessary to install the system on top of an existing application and then work with it in terms of result analysis.

Unfortunately it was written quite some time ago and published just now, so it doesn’t cover all the cool new features that are available since PHPIDS version >= 0.5. That means you won’t find anything on allowed HTML code in user input, which PHPIDS is capable of to detect and differ from malicious script fragments since the 0.5 branch. It’s pretty easy to work with this feature though and you can catch up on it on our website. If you have any and problems or suggestions, you’re more than welcome to address them on the forums.

Finally the next release of the PHPIDS has arrived – meanwhile at 0.5.1.

We fixed a lot of minor bugs and added a whole bunch of new conversion features for more or less esoteric attack vectors. The very interesting issues Gareth Heyes found some days ago are no longer a danger for PHPIDS users – as well as the pretty ugly XSS DoS attempts possible in Firefox 3. Also the WYSIWYG attack detection has been improved and should provide way more reliability combined with less false alerts.

The filter rules now have IDs – which you can of course access with a getter in the filter object. Thanks to the collaboration with epublica the filter rules have now even better compatibility with Perl regular expressions and other dialects.

Besides the addition of the ID-getter we had no API changes – so an upgrade shouldn’t be a problem at all. We hope you like the new release and provide us with tons of feedback as usual. Stay tuned – the next weeks will be pretty packed with news about collaborations with other security solutions.