PHPIDS » Web Application Security 2.0

.NETIDS v.0.1.3.0 is now available and features several large changes to implementing the SecurePage class.

• Version set correctly on assembly (thanks to Albert)
• Moved scanning by SecurePage into Page_Init (thanks to Albert)
• Added new properties to SecurePage that include PostExclusions, GetExclusions, HeaderExclusions and CookieExclusions so that you can choose to exclude say “host” only from headers you can use HeaderExclusions. Of course you can still exclude from all scanners by using Exclusions.
• The event handler is no longer an abstract field meaning that you must change your declaration of public override void IDSEventHandler(Report report, SecurePage SecurePage) so that it does NOT override the base method (as this no longer exists). Instead you must declare public void IDSEventHandler(Report report, SecurePage SecurePage) and then wire this up to the event handler of the SecurePage object in Page_Init: OnIDSEvent += IDSEventHandler; This change is handy because it means that you can easily centralize IDS detection by specifying the same method for each handler rather than having hard to maintain, code duplicating methods in each page.
• ViewStateUserKey is no longer set by SecurePage. The same goes for caching values.
• Changed style of error output to conform to throw rather than re-writing page.
• Updated filter rules.

The latest binary is available at http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_3_0.zip

If you have any suggestions for future improvements to .NETIDS please contribute to our own forum area here on php-ids.org.

The latest update to .NETIDS has made the grade and is now available for public consumption.

This release features many changes including, but not limited, to:

• Fixed bug of null key object in querystring (thanks to albert)
• Many improvements to JavaScript fromCharCode decoding:
  • now supports complete mathematical operation set
  • supports decoding from hexademical and octal
• internal changes including quote normalisation
• Updated filters

The latest binary is available at http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_2_0.zip

If you have any suggestions for future improvements to .NETIDS please contribute to our own forum area here on php-ids.org.

A GreaseMonkey script that lets you test your IDS installation against latest attack vectors is available here.

The script was written with following goals in mind,

• To perform regression tests on the IDS (During development phase).
• To perform false positive/negative tests.
• To let IDS users verify that they are safe against latest attack vectors and are using the latest rule sets.

The script is simple to use,

• Load the PHPIDS test URL (on your server) in the browser
• Go to ‘User Script Commands’ option under GreaseMonkey status bar icon and click ‘Run IDS Test’
• Choose to run either one or all 3 default attack vector files by clicking OK/CANCEL.
• Choose whether you want to test IDS with POST requests
• Choose whether want to test the IDS for false positives or false negatives.
• After the test completes, the results can be viewed in the Error Console window.

Notes:

• If the script finds a response code other than 200 on attack, it gets reported in the error console.
• The script injects a parameter named ‘test’ in GET and POST requests.

Just a quick note to announce the release of .NETIDS v.0.1.1.0 - a small update that adds some valuable features:

• Fixed bug of empty Report.Tags object
• Added options to SecurePage to disable each type of scanning
• Updated filters

Most significantly this means that you can control whether page Output Scanning is performed from a SecurePage derived page. For those who are unaware, SecurePage is the simplest inbuilt way of scanning a page in .NETIDS. Simply inherit your page from SecurePage:

public partial class _Default : DOTNETIDS.SecurePage {

and add the method

public override void IDSEventHandler(DOTNETIDS.Report report, DOTNETIDS.SecurePage SecurePage)

This will ensure that your page is scanned in a secure-by-default fashion and also gives the option to disable each type of scan and add exclusions.

The latest package is available at the dotnetids homepage: http://code.google.com/p/dotnetids/

After much testing/tweaking the first release of .NETIDS is upon us!

Featured in this release:

• automatic String.fromCharcode conversion and detection
• new and optimized filter rules
• improved halfwidth/fullwidth encoding detection
• enhanced UTF7 converter
• enhanced nullbyte detection
• page output/fragmented XSS scanning

Project home: .NETIDS

Binary: http://dotnetids.googlecode.com/files/dotnetids-src-0_1_0_0.zip
Source: http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_0_0.zip
Documentation: http://www.the-mice.co.uk/dotnetids/docs/
Forum: http://forum.php-ids.org/?CategoryID=9

Many thanks to all who made this possible!

Just a quick note to say that some additional functionality has been bundled in before the (impending) release of .NETIDS 0.1: page output detection. This adds an entirely new dimension to the detection of threats as now both input and output can be monitored for unexpected malicious strings.

The whole thing is explained in more detail here, but in the mean time check out these SmokeTests:

Test1

Test2

As always please let us know if you manage to either bypass detection or trigger a false positive!

Firefox’s handling of comment tags is a fickle business as has been seen by the recent emergence of a fragmented XSS vulnerability when injection into comments is allowed. Suffice it to say that PHPIDS (and .NETIDS) is already able to detect this attack in several forms. Firstly, any injection of malicious script tags/attributes will be picked up by the IDS and secondly the filter set is capapble of detecting comments that have text between the opening and closing tags: <!so– there is no luck –evading> our filters like this! Full details of the vulnerability can be found at Switch/Twitch.