PHPIDS » Web Application Security 2.0

This weekend I got feedback from the OWASP Crew from Belgium. The talk evolving around the PHPIDS Whitepaper was accepted and found a slot in the time line of the OWASP AppSec Europe 2008.

Don’t miss this event if you want to meet team members of the PHPIDS in persona as well as outstanding security experts like pdp, Ivan Ristic, Martin Johns and many others.

The talk will range from 14:40 to 15:20 in the second track at 21st of May 2008. Main topics are the PHPIDS, how it works, what the major benefits and possible drawbacks are and of course how the black-majickish Centrifuge works and how other tools can utilize its logic. We will publish the presentation and if available a video of the talk for all who unfortunately can’t participate.

We are pleased to announce the long overdue new WPIDS release. This package is supposed to be a bug-fix release, since several problems were reported and have been wiped out. Here’s a small list of the most important issues:

• In previous versions XML-RPC was blocked completely, now you have a option to enable/disable it
• The search now works for non English chars. Before the fix all non English characters where dropped
• A bug within the logging facility caused it that all logged entries were added with a lower impact than supposed to be

Of course this version ships with the latest PHPIDS version which is currently 0.4.7. Anyway they’re still lots of work to do. For example the login page is displayed with some error/warning message. Also it turned out to not be very wise to check on the HTTP_REFERER since it throws too many false alerts.

Since the mentioned problems don’t affect your site’s security nor work flow, are they planned to resist up to the next bigger release. The next release is planned to be the Version 0.2 of WPIDS, which will be completely rewritten. Some features of Lockdown - the embedded sister project - will be kept and will be manages as opt out. Furthermore Version 0.2 will come with more granular maintenance and configuration options.

The download is available as Full Package, or you can get it from the SVN.

We are glad to announce the freshest release of the PHPIDS. As you might have expected we did a lot of work optimizing the converter and the centrifuge again. Also the rules were improved slightly to catch several sophisticated SQL Injection vectors Johannes Dahse submitted. Again we have to thank David Lindsay, Gareth Heyes and others for their great work. The system wouldn’t even be as half as good without their contributions and intense testing.

The PHPIDS now performs way better when dealing with UTF7 XSS and especially data URIs with mixed encoding. Gareth and his outstanding Hackvertor managed to create some weird but sophisticated examples of how data URIs can be obfuscated to the max. Don’t forget to check out his amazing tool.

The PHPIDS now also ’speaks’ Base64 - so no vector obfuscation with this encoding anymore, bad guys! The count of false alerts has decreased amazingly with the new rules so if an incoming string was detected as suspicious by the PHPIDS you can almost be 99% sure that it was an intrusion attempt.

We’d also like to thank the community from our forum for the help on optimizing the system and adding improvements here and there. Be sure to grab the latest packages here - again no API changes by the way so patching will work without any problems.

Today we finished the PHPIDS white-paper which was created as a reaction on the CFP for OWASP Europe Conference 2008 in Belgium.

The paper includes general project information, installation tips and detailed insights into the attack detection work flow. Also the paper features an explanation of the PHPIDS Centrifuge as well as some best practices on how to work with the impact and discussion about server performance issues.

Comments on the document are highly appreciated - so feel free to contact us if questions pop up. We hope this paper sheds some light on the black majick of the attack detection mechanisms the PHPIDS features which separate it from comparable monitoring solutions.

You can find the paper here.

Edit 2008-04-30:

Here’s the most recent version - great thanks to David Lindsay for helping out with proof reading and wording issues.

Only half a month after the last release we present the new PHPIDS 0.4.6. This time we did lots of optimizations on the generic attack detection and the PHPIDS Centrifuge. There is a pretty new way to detect vectors which are not caught by the rules and as far as we heard we returned some of the headaches our testers gave to us before - thanks again to David Lindsay, Gareth Heyes and Johannes Dahse for their great work.

The rules were optimized as usual and again - they haven’t grown but become even smaller for better performance. Altogether the rules decreased their size by 937 bytes. The converter was optimized too and many smaller bugs were fixed.

You can find the fresh packages here as usual. Again - no API changes so updating should work like a charm.

Also we have continued working on our sister project - the CSRFx. Now this system is even more capable in dealing with invalid markup to protect and AJAX requests. Also JSON wrapped markup can now be secured with the token cloud of the CSRFx so maybe you like to check out the sources and give it try.

We appreciate your feedback and if you happen to have any problems during installation or usage feel free to ask us in our forum.

After the pretty successful Christmas release we now present PHPIDS 0.4.5. It brings a lot of enhancements in vector detection. We worked over the rules and especially the converter and due to the great help of David, Gareth, Johannes and tx many bugs were found and fixed. The exploits and filter circumventions they found were awesome as usual and got our team surprised a lot. JavaScript is a hell of a language - and so is SQL…

We also did some improvements to the PHPIDS Centrifuge. We now have - supporting the main Centrifuge core - an additional layer to detect attacks based on character ratio. Take a peek at the code if you wish to know more details.

The API hasn’t changed in this release so patching would be definitely no problem as usual. We hope you like the new release and grab you package here! Also we heard some bird twitter about a new WPIDS release some when this week - stay tuned!

Just in time before the holidays we are proud to release PHPIDS 0.4.4. After several weeks of testing by the group we populated the new release with small but important features and optimizations. We added support for detection and translation of JavaScript Unicode - undetected vectors like \0061ert(1) Gareth Heyes discovered now belong to the past. Also we optimized the rules to catch the latest concatenation and code injection vectors crafted by thornmaker and tx.

The centrifuge was optimized a little bit more and here and there we heard about vectors that were exclusively detected by this mechanism - so yes, the concept works. Furthermore we discovered several minor bottle necks when dealing with very large incoming strings which of course were removed too for better scalability and performance.

We also increased the code quality - the PHPIDS is now completely coded in PEAR valid PHP constantly monitored by the PEAR package PHP_CodeSniffer. The test coverage is higher than 95% and we also tweaked the generated documentation for better understanding.

We hope as usual that you like the new release as much as we do and wish you a very happy and relaxing holiday. See you next year!

I’m proud to announce that WPIDS v0.1 is now officially available - please don’t feel confused by the version jump from 1.x down to 0.1- you’re grabbing the freshest sources with this release.

It took some time since the last public release, but we added a lot of useful things. For example the parameters flowing in the back end are no longer monitored so your website stays operable. Furthermore we added some really nice checks against known Intrusion attempts against Wordpress. PHPIDS 0.4.3 has been integrated directly after its release too. A even newer version is already on the way to come which will use the HTMLPurifier to keep care of the comments and the content field.

So don’t wait and get your copy of WPIDS - you can download it here.

At last I want to thank Gareth and Mario for their valuable input for this project.

Today we proudly release PHPIDS 0.4.3. This time we invested all spare time we had the last weeks on enhancing the converter and the rules. That means way better intrusion detection and even fewer false alerts then with the last release.

Thanks to the great help from Johannes Dahse we managed to tweak the rules to catch way more SQL Injections - especially the super short ones for authentication bypass and information disclosure. And - we didn’t believe it ourselves - SirDarckCat and Gareth Heyes even found some new XSS vectors slipping through the rules. We also optimized the converter against several evil Unicode characters and other possibilities to obfuscate payload.

Furthermore we did some more testing and optimization on the PHPIDS centrifuge. After several weeks of high traffic beta testing we agreed to remove the ‘beta’-label from this module too. Be sure to grab the files from here as soon as possible

The coming releases will head straight towards 0.5 - the usability and scalability release. We hope you are looking forward for this one as much as we do - and enjoy PHPIDS 0.4.3.

We recently created a Google source code repository for CSRFx and a CRSFx Google group. This tool provides - besides a name which can’t be pronounced by human tongue - a possibility to protect existing PHP5 based web applications against CSRF attacks.

The tool gives the developer the chance to define request patterns which should be protected against CSRF. Also there’s the possibility to define request patterns which shouldn’t be protected to cover ranges like example.com/admin/whatever.

The implementation process is pretty easy. You just have to create a configuration file for your application (an example file for CakePHP is bundled, more will follow soon), define the request patterns, create the necessary database table, include the files First.php and Last.php via auto_prepend_file/auto_append_file and that’s it. You can of course also use your index.php for inclusion if that’s possible. We are already testing the tool on several live applications - so we can guarantee pretty good stability already.

If you’d like to play with it just grab the sources. Comments, Questions and contributions are heavily appreciated as usual. Have fun!