PHPIDS » Web Application Security 2.0

Today we talk to Kishor Datar. He joined the PHPIDS Team pretty early and since then provided great help on improving the filter rules, writing tools to test the quality of the PHPIDS.

Kishor is well known in the webappsec scene and maintains an interesting blog about security in general. He is furthermore the author of the XSS in eXceSS tool which is a number one reference for developers who want to get in touch with XSS.

Q: Please tell us a little bit about yourself

A: Shorter version of my name is Kishor Datar. I am a Masters student at University of Maryland Baltimore County. Well I just have about two years of experience in software industry. I know (rather knew) Indian Classical Music a little bit. And I try to learn guitar on my own.

Q: how did you get involved in webappsec

A: I had developed a web app firewall as my undergrad project. It was based on regexes like PHPIDS is. But it wasn’t perfect if I may say. In fact I knew nothing about XSS back then. So we had very simple rules that blocked script tags and some more things. Also since we built the proxy ourselves, we didn’t handle most of the other things like encoding etc. Then I worked with a company that built web security scanner for two years. There I learned more about web security. About one year back I started blogging. So I am relatively new to web app sec.

Q: what color is your hat usually and why

A: White hat. Unless the issue is very trivial I don’t like to go for full disclosure.

Q: where do you see webappsec in let’s say 5 years

A: After five years, collaboration between web apps will increase further. They will become more and more flexible. Therefore security will be an important goal in web app development cycle. And therefore web app sec will also maintain its importance.

Q: what do you think of the PHPIDS and related projects

A: Since the time I started blogging and getting involved in web sec community, I have seen people talking about only the problems (IMO). They either talked about how to exploit something or tools that found security holes for you. They rarely talked about the solutions. PHPIDS I feel is different than these projects. Because it actually produced something useful. I personally learned a lot from it. And I enjoyed decoding the complex vectors that others developed. And the time they take to fix a vector is how much? Just 15 mins? Thats really impressive.

Q: Thanks a lot for the interview!

This is the second part of a series of interviews with people from the PHPIDS group. Today we are chatting with Gareth Heyes.

He recently submitted a bunch of concatenation vectors which gave us real headaches and helped a lot to improve the rules and the converter unit. Gareth is pretty well-known in the security scene and created various tools like the CSK and the JSFuzzer

You can get a taste of his work here and here. Have fun reading!

Q: Please tell us a little bit about yourself?

My name is Gareth Heyes and work for a big insurance firm near Manchester. I spend most of my daily working life developing web applications and learning new programming techniques. I’m always hacking my own stuff and trying to improve my code on a daily basis. My security work is done in my spare time and I often spend many hours in front of a monitor into the early hours of the morning. I’m married, have two dogs and I love playing and watching football when I’m not hacking.

Q: Who are The Spanners?

My mate Jake Smith asked if I wanted to be involved in a community web development blog, the name came from the “span” HTML tag, the original goal was to create a blog to enable designers and programmers to share knowledge. I started to post a lot of security stuff because I was really into doing security research and it expanded from there. I feel a bit guilty for taking over the blog but Jake assures me that he doesn’t mind and enjoys reading my stuff.

Q: You in ten years - looking back at WebAppSec today. What would you say?

I’d say it’s much harder to secure a web site than it was 10 years ago, the browser security model needs to improve because the
attacks are always getting better. The basic browser security model hasn’t changed much and that worries me a great deal, even 10 years ago the same attacks will work now. One thing that hasn’t changed much is vendors, I submitted XSS attacks to AOL, MSN and Altavista 10 years ago and never got a reply!, at the time I didn’t know it was XSS, I just found that I could insert HTML into their search
results.

Q: JavaScript is… please complete the sentence!

The ultimate hacking tool

Q: You spent lots of time in creating supreme vectors to test the PHPIDS - why?

Lots of reasons really, I love the project and the fact that it is open source and the challenge of beating your filters after so many talented people have submitted vectors. Most of all though I was tempted by Sirdarckcat’s post, I love being challenged to do something that people think is difficult or impossible and I suppose that is why I like security research so much.

Q: Thanks a lot for the interview, Gareth!

This is the first part of a series of interviews with people from the PHPIDS group. Today we are talking with SirDarckCat who helped us a lot in hardening the PHPIDS against complex XSS attacks. Besides few others he showed us what obfuscated JavaScript really looks like and gave us several headaches when fixing the rules against bis attack vectors which you can see here and here. Have fun reading!

Q: Please tell us a little bit about yourself
A: Well, my name is Eduardo Vela, I’m studying Engineering in Computational Technologies at “Monterrey Institute of Technology and Superior Studies”, I’ve been collaborating with some communities, mainly developing tools, documents, and doing some research in security, on the rest of my free time, I play piano, and hang out.

Q: how did you get involved in webappsec
A: Actually, as a need, I first learned HTML like 6 years ago, then I needed more interactivity, and learned JavaScript, then I needed more security, and learned PHP and mySQL, and that’s where I started breaking things, since then, I’ve been working with war games, and pen-testing, my passion is security-related programming, so all the time I’m doing some exploit, researching some vuln, or making some tool.

Q: what color is your hat usually and why
A: My hat?, well, I am mostly white hat, responsible disclosure is the best way to go, it gave me good results on the past, and helping to secure the applications I use, is not a service I’m giving to the vendor, is a service I’m giving to myself, anyway I have to admit that from time to time, I get involved into some black hat projects, white hat is more self-rewarding, and it’s even more fun.

Q: where do you see webappsec in let’s say 5 years
A: The webappsec industry is still under development, (lets say, we aren’t in beta any more, but the release isn’t very stable), new attacks are still being invented, and new types of vulnerabilities and tools for exploiting them, are under development, (that’s for the bad guys), and also, the research on contra-measures is not so developed, today the attacks are superior to the protections, as I see it, we are on the raise of the industry, and in 5 years it should be on it’s most.

Q: what do you think of the PHPIDS and related projects
A: I’ve needed to deal with Apache’s mod_security and mod_rewrite rules, (and some php-based attack detections scripts, and a lot of really bad filters) that are extremely easy to bypass, they create an illusion of security to admins, that doesn’t really exist, it’s very important to create real tools (created by hackers, not webmasters), and phpids is one of the few that actually gives developers the ability to deal with real attacks.

Q: Thanks a lot for the interview!

Today we released PHPIDS 0.3.2 with many exciting new features. We had some very interesting contributions from people all over the planet and most of them found their way into this release.

Johannes Dahse helped us a lot improving the SQL injection rules with tons of formerly undetected vectors and we had some great talk with Kevin Schroeder about performance which lead us to do some caching work. We were able to reach a performance boost of over 40% with caching the storage object.

Also we’d like to mention that there’s now a basic PHPIDS Wordpress plugin available written by H. Beyer and you can expect more from the BlogSecurity group soon.

SirDarckCat recently managed to XSS the PHPIDS again - with two surprisingly basic and one insanely advanced XSS vector - thanks to his advice we now feature a method to deal with faulty JS parsing in Gecko-based browsers.

Here’s a list of the majority of new features:

• Caching of the storage object
• Fewer false positives again
• Way better detection of SQL injection attacks
• Optimized CRLF detection - thanks to Stevenr from the PHPIDS forum
• Finally - a database logger based on PDO
• Basic methods to deal with faulty Firefox JS parsing
• Less lines of code

We hope you have fun with the new release and keep up the great support. Meanwhile we are hard working on the 0.4 release and the next days you can expect the alpha of the PHPIDS Typo3 extension.

PHP4IDS 0.2.1 is now available for public download. The current version includes the xml filter file from PHPIDS 0.3.1 and contains several small adjustments to resemble the PHPIDS 0.3.1 filter matching process - including the support for IDSMonitor::ScanKeys() and IDSRegexpFilter::Flags().

Furthermore an API documentation (PHPDocumentor) is included and the example.php has been updated to the latest PHPIDS tests.

The download of version 0.2.1 is available in the downloads section or via SVN http://php4ids.googlecode.com/svn/trunk/

If you have any suggestions for future improvements to PHP4IDS please contribute to our own forum area here on php-ids.org.

To ease the process of finding and removing false positives we recently updated the demo page. You can now use the form in the sidebar to submit false positives.

Those are directly sent to a DabbleDB application - a free database hosted on the DabbleDB servers. This enables easy maintainability for us and the usage of automated regression test scripts even for false positives. You can find the public views and many export formats for the (once) existing false alert data here.

We monitor the database via feedreader so if you send in a false alert it usually will be fixed in the trunk within hours or sometimes even minutes.

Again we’re proud to release the new version of the PHPIDS - 0.3.1. This release features plenty of bugfixes, enhancements in stability, performance and optimized filter rules. Here’s a list of the most important changes.

• default_filter.xml was moved into the IDS folder
• A whole bunch of false alerts was removed
• Even more false alerts were removed
• Detection rules for the most recent exploits were added - including theURI exploits, Konqueror UXSS, more complex SQLI attacks etc.
• Also the PHPIDS now provides optional key scanning - disabled by default but you can enable it using the $scanKeys property in Monitor.php
• We also enhanced the loggers to provide more comprehensive output
• Improved inline documentation to make the code more comprehensive
• The report object now features a __toString method with which you can easily dump out detected results
• And all that with less lines of code!

We hope you like the new release the same as we do - just drop us a line in the forum if you have any issues with it!

The next release of the PHPIDS is close and this one is dedicated to false alerts especially. Since we are getting tons of data from some of our clients we are able to optimize the rules for more precise detection.

If you have an application running with PHPIDS on top feel free to send us information about the false alerts you have - we are currently building up an automated regression test system for exactly that purpose. The more data we get the better the PHPIDS will be in the near future.

In the meantime we hope you have fun with the PHPIDS 0.3 - by the way the rules in the trunk are always tested before commit so feel free to check them out any time!

A GreaseMonkey script that lets you test your IDS installation against latest attack vectors is available here.

The script was written with following goals in mind,

• To perform regression tests on the IDS (During development phase).
• To perform false positive/negative tests.
• To let IDS users verify that they are safe against latest attack vectors and are using the latest rule sets.

The script is simple to use,

• Load the PHPIDS test URL (on your server) in the browser
• Go to ‘User Script Commands’ option under GreaseMonkey status bar icon and click ‘Run IDS Test’
• Choose to run either one or all 3 default attack vector files by clicking OK/CANCEL.
• Choose whether you want to test IDS with POST requests
• Choose whether want to test the IDS for false positives or false negatives.
• After the test completes, the results can be viewed in the Error Console window.

Notes:

• If the script finds a response code other than 200 on attack, it gets reported in the error console.
• The script injects a parameter named ‘test’ in GET and POST requests.

After works of really hard work, great support in the group and the forum we finally announce the release of PHPIDS 0.3. We had some tough battles with pretty exotic XSS vectors and optimized lots of the filter rules. Also we improved the SQL injection detection and added rules to detect the current Firefox flaws. The internal converter is now able to detect string concatenations, works way better with comments (no S/**/E/**/LE/**/CT is no problem anymore for the PHPIDS) and has logic to detect basic algebra inside charcoded strings.

We also worked on the documentation and on the examples - there should be way less trouble to install the PHPIDS - if there ever was

Here’s a list of the major new features:

• Enhanced concatenation converter
• Enhanced charcode converter
• Comment converter and quote normalization
• A whole bunch of new rules
• Even more optimized old rules
• Better documentation and examples
• A whole CakePHP component package amongst the examples
• Still no PHP4 support - but PHP4IDS has!

The PHPIDS team hopes you like the new packages and especially thanks Kishor, SirDarckCat, Ronald v.d. Heetkamp and Giorgio Maone for their great support.