PHPIDS » Web Application Security 2.0

A GreaseMonkey script that lets you test your IDS installation against latest attack vectors is available here.

The script was written with following goals in mind,

• To perform regression tests on the IDS (During development phase).
• To perform false positive/negative tests.
• To let IDS users verify that they are safe against latest attack vectors and are using the latest rule sets.

The script is simple to use,

• Load the PHPIDS test URL (on your server) in the browser
• Go to ‘User Script Commands’ option under GreaseMonkey status bar icon and click ‘Run IDS Test’
• Choose to run either one or all 3 default attack vector files by clicking OK/CANCEL.
• Choose whether you want to test IDS with POST requests
• Choose whether want to test the IDS for false positives or false negatives.
• After the test completes, the results can be viewed in the Error Console window.

Notes:

• If the script finds a response code other than 200 on attack, it gets reported in the error console.
• The script injects a parameter named ‘test’ in GET and POST requests.

After works of really hard work, great support in the group and the forum we finally announce the release of PHPIDS 0.3. We had some tough battles with pretty exotic XSS vectors and optimized lots of the filter rules. Also we improved the SQL injection detection and added rules to detect the current Firefox flaws. The internal converter is now able to detect string concatenations, works way better with comments (no S/**/E/**/LE/**/CT is no problem anymore for the PHPIDS) and has logic to detect basic algebra inside charcoded strings.

We also worked on the documentation and on the examples - there should be way less trouble to install the PHPIDS - if there ever was

Here’s a list of the major new features:

• Enhanced concatenation converter
• Enhanced charcode converter
• Comment converter and quote normalization
• A whole bunch of new rules
• Even more optimized old rules
• Better documentation and examples
• A whole CakePHP component package amongst the examples
• Still no PHP4 support - but PHP4IDS has!

The PHPIDS team hopes you like the new packages and especially thanks Kishor, SirDarckCat, Ronald v.d. Heetkamp and Giorgio Maone for their great support.

I’m glad to announce that PHP4IDS 0.1 is released. PHP4IDS is a port of PHPIDS for use with PHP4. The current version is based on PHPIDS 0.2.3 and includes the filter-definition-file from this release.

There are some issues users should be aware of:

• due to the origin of this port (large project) the naming convention had to be changed so the different classes will have different names in this version
  • IDS_Report => IDSReport
  • IDS_Converter => IDSConverter
  • IDS_Event => IDSEvent
  • IDS_Monitor => IDSMonitor
  • IDS_Filter_Storage_Abstract => IDSStorageProvider as baseclass and IDSSimpleStorageProvider as a class providing the same functionality as the IDS_Filter_Storage_Abstract (specify an array of filters in the constructor)
  • IDS_Filter_Storage => IDSXmlStorageProvider providing only xml-storage capabilities
  • IDS_Filter_Abstract => IDSFilter
  • IDS_Filter_Regexp => IDSRegexpFilter
• also due to namíng convention all method names are pascal-case (and not case-case)
• the logging facility has been dropped
• the class inheritance structure has been slightly modified in case of the IDSStorageProvider
• JSON support has been dropped because PHP4 lacks the JSON extension (and I had no use for a JSON-storage)
• this version requires PHP 4 >= 4.2.0 because the IDSXmlStorageProvider uses tThe DOM XML extension which is not bundeld with PHP5. Therefore PHP4IDS in its current version (specifically the IDSXmlStorageProvider) can not be considered PHP5 compatible!

I hope that users will nevertheless find PHP4IDS  useful in PHP4-only environments.

With upcoming versions we’ll refactor PHP4IDS so that it will incorporate the logging facility and perhabs change back the naming convention to be compatible with current releases of PHPIDS.

The download of version 0.1 is available in the downloads section or via SVN http://php4ids.googlecode.com/svn/trunk/

PHPIDS 0.2.3 is out - and brings several important improvements. We worked on the filter rules and addted detection for mail header injections, enhanced the nullbyte and control char detection and worked on some of the SQL injection rules.

Also the compatibility is enhanced - the PHPIDS now works with libxml prior version 2.6.21 - thanks to Greg and Markus Bierau.

Great improvements have been done to the Converter - now the PHPIDS is able to detect charcode - even if encoded octal, hexadecimal and obfustcated by basic arithemtic operators - thanks to Kishor.

As promised there were no API changes so there should be no problems updating the PHPIDS. The PHPIDS team hopes you’ll have fun with this release and currently plans on what to implement in 0.2.4 and the next big milestone 0.3.0. - one major improvement in 0.2.4 will concern the logging facility, which presently is not that userfriendly and pretty ineffective.

We are currently working on PHPIDS 0.2.3 which will be a pure feature release. We mostly optimized the algorithm to detect encoded payload. The PHPIDS will be able to correctly detect payload with decimal, octal and hexadecimal encoding - check out the demo-links below to preview this feature:

Javascript charcode injection

Octal charcode injection

Hexadecimal charcode injection

Also we optimized the rules again, added detection for mail header injections, the firefoxurl code execution attack and removed dozens of false alerts. We expect the release to happen around Wednesday - stay tuned!

The last piece of our database disaster is fixed now: our Trac installation is back again. Happy bugreporting!

We’re proud to announce the current release of the PHPIDS.

PHPIDS 0.2.2 has many new features and comes with increased detection mechanisms and better performance. The most important alterations are:

• no usage of iconv/multibyte anymore (better compatibility)
• automatic String.fromCharcode conversion and detection
• new and optimized filter rules
• improved halfwidth/fullwidth encoding detection
• enhanced UTF7 converter
• enhanced nullbyte detection
• big performance increases

The API hasn’t changed so there shouldn’t be any problems upgrading from 0.2.0 or 0.2.1. If you have further questions don’t hesitate to needle us in the forum.

We (we as in schokokeks.org) offered PHPIDS our infrastructure to host their web applications for free on one of our servers. The server the PHPIDS stuff is located was treated a bit too ignorant by us, e.g. we did not really ensure a working backup and our database configuration system was horribly broken by me (which crashed the tables). Talking about security on the one hand and doing such huge mistakes on the other hand must seem a bit devious for you. And the sad thing is, you are right. I am really sorry for that inconvinience, the issues which broke the setup are fixed now will never happen again. Fingers crossed.

Firefox’s handling of comment tags is a fickle business as has been seen by the recent emergence of a fragmented XSS vulnerability when injection into comments is allowed. Suffice it to say that PHPIDS (and .NETIDS) is already able to detect this attack in several forms. Firstly, any injection of malicious script tags/attributes will be picked up by the IDS and secondly the filter set is capapble of detecting comments that have text between the opening and closing tags: <!so– there is no luck –evading> our filters like this! Full details of the vulnerability can be found at Switch/Twitch.

After some serious server issues we’re slowly coming back and refilling the page with content. Due to a unrecoverable database crash we lost the data of about 48 hours - not catastrophic but very displeasing.

We are currently working on bringing the forum back - you can already use the downloads page and the demo .

Please excuse the inconvenience,

Regards,
the PHPIDS Team