Global Implementation of PHPIDS
7 views
Skip to first unread message
Philipp
Oct 16, 2007, 10:26:04 AM10/16/07
to PHPIDS » Web Application Security 2.0
As I just posted within the trac of PHPIDS I plan to create some
application around PHPIDS, which enables it to use PHPIDS within any
PHP file, through some php.ini addition, or if possible .htaccess.
This would make things easier as you don't need to use dozen of ports
for PHPIDS to protect your complete PHP website(for the case you run
different PHP software within). This port shall include loggin, Email
Alerts and statistics(and many more). Additional I would suggest to
create maybe some commercial brand for it(maybe free for personal
usage, fee for companies).
Now to the point where I currently stuck, the naming. I thought about
something like LdIDS, which stands for Lockdown&PHPIDS, the Ld
represents some default checks for bad vectors and/or some own defind
filter lists and such features for more experienced users.
The other Name I got is: AllIDS, the all shall display that it
protects your complete PHP based Website.
application around PHPIDS, which enables it to use PHPIDS within any
PHP file, through some php.ini addition, or if possible .htaccess.
This would make things easier as you don't need to use dozen of ports
for PHPIDS to protect your complete PHP website(for the case you run
different PHP software within). This port shall include loggin, Email
Alerts and statistics(and many more). Additional I would suggest to
create maybe some commercial brand for it(maybe free for personal
usage, fee for companies).
Now to the point where I currently stuck, the naming. I thought about
something like LdIDS, which stands for Lockdown&PHPIDS, the Ld
represents some default checks for bad vectors and/or some own defind
filter lists and such features for more experienced users.
The other Name I got is: AllIDS, the all shall display that it
protects your complete PHP based Website.
Please tell me your suggestions and opinion about it.
Sincerely,
Philipp
Mario Heiderich
Oct 18, 2007, 4:10:48 AM10/18/07
to php...@googlegroups.com
Hi Philipp!
I like the idea pretty much although I think here's a lot to discuss on how we could built such a tool properly and what requirements really exist. I am currently thinking about an option to create a kind of wrapper that carries the PHPIDS as a plugin/component amongst others - like the coming CSRF protection tool, an effective and configurable sanitizer, the HTMLPurifier, analytical and statistic tools etc.
So we could walk towards a full stack security application suite where developers can choose easily what components should be loaded for their application(s) and how they should be configured. The first thing for such an application would be to think about: What should the tool do.
Suggestions?
Greetings,
.mario
--
_______________________
php-ids.org
I like the idea pretty much although I think here's a lot to discuss on how we could built such a tool properly and what requirements really exist. I am currently thinking about an option to create a kind of wrapper that carries the PHPIDS as a plugin/component amongst others - like the coming CSRF protection tool, an effective and configurable sanitizer, the HTMLPurifier, analytical and statistic tools etc.
So we could walk towards a full stack security application suite where developers can choose easily what components should be loaded for their application(s) and how they should be configured. The first thing for such an application would be to think about: What should the tool do.
Suggestions?
Greetings,
.mario
2007/10/16, Philipp <phi...@phsoftware.de>:
--
_______________________
php-ids.org
Philipp
Oct 19, 2007, 11:01:25 AM10/19/07
to PHPIDS » Web Application Security 2.0
Well, I didn't got the idea about usage for developers, I thought it
more for some Website owner who want to protect their website against
some threads. It would lead maybe even into the wrong lane as they
would maybe stop trying to write secure code as the application would
do it for them...
Currently I would say that we have some general settings, which are
applied everywhere. And then you're able to set some special behaves
upon different areas of your website/given Parameters. Let's say that
you maybe don't want to allow a User to post some arbitrary code(only
safe one) you could add that to your "filterrules" a rule that
HTMLPurifier is used upon the given Parameter...
In general the Plan is to increase your security, by allowing only
secure alphanumeric text to enter your PHP stage. But then you should
be able to modify this behave to your needs that given Parameters are
allowed to hold other values as well(HTML code), or some given areas
aren'T checked at all and such things. So let's take an example, if
you run a Blog, it would only let in anything which is a alphanum text
only. But that wouldn't be usable at all, so we would disable the
checking in the backend and allow for comments-parameter some given
HTML tags. So we could add many security to it, as everything higher
than allowed would be dropped.
And it shall offer some Tracking of Intrusion(-tries), so if you don't
like the features above at all, let your blog only be watched and get
informed if anything strange was done, maybe even some given part is
shot down, to prevent your users from harm...So if some XSS was
detected the search Function request could be blocked as long as you
checked the problem.
That's really vague, as my starting thought was only about offering a
global PHP port for PHPIDS, which would already track most of the
intrusion tries and upon these results we can do already many things.
more for some Website owner who want to protect their website against
some threads. It would lead maybe even into the wrong lane as they
would maybe stop trying to write secure code as the application would
do it for them...
Currently I would say that we have some general settings, which are
applied everywhere. And then you're able to set some special behaves
upon different areas of your website/given Parameters. Let's say that
you maybe don't want to allow a User to post some arbitrary code(only
safe one) you could add that to your "filterrules" a rule that
HTMLPurifier is used upon the given Parameter...
In general the Plan is to increase your security, by allowing only
secure alphanumeric text to enter your PHP stage. But then you should
be able to modify this behave to your needs that given Parameters are
allowed to hold other values as well(HTML code), or some given areas
aren'T checked at all and such things. So let's take an example, if
you run a Blog, it would only let in anything which is a alphanum text
only. But that wouldn't be usable at all, so we would disable the
checking in the backend and allow for comments-parameter some given
HTML tags. So we could add many security to it, as everything higher
than allowed would be dropped.
And it shall offer some Tracking of Intrusion(-tries), so if you don't
like the features above at all, let your blog only be watched and get
informed if anything strange was done, maybe even some given part is
shot down, to prevent your users from harm...So if some XSS was
detected the search Function request could be blocked as long as you
checked the problem.
That's really vague, as my starting thought was only about offering a
global PHP port for PHPIDS, which would already track most of the
intrusion tries and upon these results we can do already many things.
Reply all
Reply to author
Forward
0 new messages