PHPIDS » Web Application Security 2.0

It’s been a while since we released the latest version of the PHPIDS. We had tons of microscopic changes in the rules and the Converter during the last weeks and months so we decided to wait a little bit to have a diff large enough legitimizing the jump from 0.5.4 to 0.6.

A lot of new formats are being not supported for de-obfuscation – including way better entity handling, more MSSQL obfuscation techniques, JavaScript backslash line breaks and a lot of other nasty things. We also optimized and fine tunes the Centrifuge to provide better results in generic attack detection.

We optimized the rules against a ton of new SQL Injection attack patterns – mostly submitted by Reiners and Roberto Salgado. Although Gareth Heyes and David Lindsay found new and very interesting ways of executing JavaScript and at the same time bypassing the PHPIDS rules – here’s some of these vectors:

this[('eva')+this.status +'l'](/xx.x.x/+name)

1' and 0x0 != mid(user(),1,1) or null/ 'null

<isindex/type=image
xyz=<iframe/src=javascript&#x3a&#x61lert&#x28&#x31&#x29>
onerror=undefined,/\//,outerHTML=xyz src=1>

Furthermore we had a lot of minor changes making sure fewer false positives are being produced. A lot of small bugs were fixed – thanks to our forum users reports and several tickets. Also Christian wrote a great article for the German print magazine c’t about the PHPIDS. A slightly abridges version can be found here.

You can grab the latest copy in the downloads section as usual. Have fun with the PHPIDS 0.6 and feel free to give us feedback and tel us what you think. And last but not least.. thanks a lot to all who helped with this and former releases!

This entry was posted on Sunday, May 3rd, 2009 at 4:59 pm and is filed under PHPIDS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.