Generic Attack Detection - ph-Neutral 0x7d8

Mario Heiderich
Mario HeiderichSecurity Research / Penetration Testing
Generic Attack Detection Avoiding blacklisting traps with the PHPIDS A presentation by Mario Heiderich For ph-neutral 0x7d8
Who? Mario Heiderich  CSO for ormigo.com in Cologne, Germany  Lead developer / co-founder PHPIDS  Has browsed a lot of sites
What?  Attack detection for webapps  Type and weight analysis  The PHPIDS and some of its whereabouts  Generic attack detection vs. plain blacklisting
Current Situation  Webapps grow in numbers and complexity  User generated input of all possible kinds  Securing new apps is hard  Securing existing apps is even harder  Difficult to manage the split between usability and security
Approaches to deal with Webappsec  Total ignorance (yep – that sumtimes happens...)  Drastic filtering, escaping or senseless validation, right Mr. O'Malley?  Backup & Restore (for real!!1)  WAFs and IDSses  Training and Consulting  Spending a lot of money for useless stuff
The open source „market“  mod_security, JWall, HTMLPurifier, Anti-Samy and others  Either very specialized...  ...or entirely based on blacklisting  Sometimes generating vulnerabilities themselves  And sometimes crippling user's input
Our approach  Say yes to blacklisting!  Use it to detect, categorize and weight  User input won't be touched  Total freedom of choice for the developer  and... generic attack detection
Let's have a look One of the 70 regex rules to detect XSS, SQLi, RCE and many other attack patterns <filter> <rule><![CDATA[(?:^>[ws]*</?w{2,}>)]]></rule> <description>finds unquoted attribute breaking in...</description> <tags> <tag>xss</tag> <tag>csrf</tag> </tags> <impact>2</impact> </filter>
Step by step  User generated input coming in  First test to check if the whole detection process is necessary  Conversion process  Detection process  Reporting and optional logging
Btw converting...  The converter is capable of normalizing the user's input from several formats  JS Oct, Hex, Unicode and Charcode  UTF7-Shmootf7 (no idea why this still is an issue)  Loads of entities - be they hex, dec, named or others  SQL-, obfuscation- and concatenation patterns...  Evil chars, nullbytes, RTL/LTR chars  Comments, special numeric formats etc. etc. ...
Easy implementation Not so hard isn't it? The „doing something smart“-part might be though... and no – replacing the comment by echo $result; or a redirect is not the cleverest way...
But there were problems  Exotic vectors omfg noez!!  Superdynamic languages as basis for attack vectors  Ternary obfuscation on acid  Rules getting bloaty by the time  More false alerts then necessary  Performance going down
Some friends...  quot;; define ( _a, quot;0008avwga000934mm40re8n5n3aahgqvaga0a303quot;) ; if ( !0) $c = USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC ^ _a; if ( !0) system($c) ;//  aa'<3+1 or+1=+'1--SQLi luvz ya!  a//a'u000aeval(name)  y=<a>eval</a>;content[y](location.hash)
Let's go generic!  Plain blacklisting based detection must be extended  Currently exist two plain (some may call 'em weird) but powerful methods  The ratio calculation with a prepended normalization  The centrifuge – normalizing and weighting standard programming language elements
Let's see..
There's more...
... and the rest
Conclusions  Code and thresholds are result of intense testing  Tests are based on about 500 vectors plus several random regular texts to avoid false alerts  Since programming languages have similiarities the centrifuge results do either  Still space left for optimization
The future...  Optimization of the existing code  More detection routines  More granular and statistic based weighting and string analysis  Cooperation with several universities and other projects  More verbose demo and result object
So...  Suggestions and other input are always welcome  Contact us at any time via our Google Group or forum or via Email or IM or whatever way you feel like  php-ids.org/contact
Thanks a lot for listening!
1 of 21

Generic Attack Detection - ph-Neutral 0x7d8

Download to read offline
BusinessTechnology
Mario Heiderich
Mario HeiderichSecurity Research / Penetration Testing

Recommended

The innerHTML Apocalypse by
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
34.9K views51 slides
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ... by
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
3.2K views40 slides
Scriptless Attacks - Stealing the Pie without touching the Sill by
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
45.7K views33 slides
In the DOM, no one will hear you scream by
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
33.2K views60 slides
An Abusive Relationship with AngularJS by
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
129.2K views66 slides
HTML5 - The Good, the Bad, the Ugly by
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
2K views22 slides

More Related Content

What's hot

Locking the Throneroom 2.0 by
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
6.4K views47 slides
The Ultimate IDS Smackdown by
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
1.7K views31 slides
I thought you were my friend - Malicious Markup by
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
3.6K views65 slides
Dev and Blind - Attacking the weakest Link in IT Security by
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
5.6K views39 slides
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-... by
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
30.4K views55 slides
The Future of Web Attacks - CONFidence 2010 by
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
2.9K views36 slides

What's hot(20)

Locking the Throneroom 2.0 by Mario Heiderich
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich6.4K views
The Ultimate IDS Smackdown by Mario Heiderich
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich1.7K views
I thought you were my friend - Malicious Markup by Mario Heiderich
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich3.6K views
Dev and Blind - Attacking the weakest Link in IT Security by Mario Heiderich
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich5.6K views
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-... by Mario Heiderich
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich30.4K views
The Future of Web Attacks - CONFidence 2010 by Mario Heiderich
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich2.9K views
A XSSmas carol by cgvwzq
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq4K views
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,... by Mario Heiderich
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich45.4K views
Breaking AngularJS Javascript sandbox by Mathias Karlsson
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson2.2K views
An overview of node.js by valuebound
An overview of node.jsAn overview of node.js
An overview of node.js
valuebound104 views
Building Advanced XSS Vectors by Rodolfo Assis (Brute)
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)7.8K views
Trusted Types @ W3C TPAC 2018 by Krzysztof Kotowicz
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz208 views
Trusted Types and the end of DOM XSS by Krzysztof Kotowicz
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz3.8K views
Hacking - Breaking Into It by CTruncer
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
CTruncer2.7K views
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam) by Krzysztof Kotowicz
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz557 views
Automated JavaScript Deobfuscation - PacSec 2007 by Stephan Chenette
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette1.5K views
Bringing Down the House - How One Python Script Ruled Over AntiVirus by CTruncer
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer3.4K views
The Supporting Role of Antivirus Evasion while Persisting by CTruncer
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer400 views
Clean Code by ISchwarz23
Clean CodeClean Code
Clean Code
ISchwarz231.8K views
Ruxmon cve 2012-2661 by snyff
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff632 views

Similar to Generic Attack Detection - ph-Neutral 0x7d8

Presentations Unusual Java Bugs And Detecting Them Using Foss Tools by
Presentations Unusual Java Bugs And Detecting Them Using Foss ToolsPresentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss ToolsGanesh Samarthyam
559 views31 slides
Static Analysis Techniques For Testing Application Security - Houston Tech Fest by
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
4K views49 slides
Javascript Framework Roundup FYB by
Javascript Framework Roundup FYBJavascript Framework Roundup FYB
Javascript Framework Roundup FYBnukeevry1
389 views14 slides
Securing Rails by
Securing RailsSecuring Rails
Securing RailsAlex Payne
1.4K views32 slides
Polyglot and Poly-paradigm Programming for Better Agility by
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agilityelliando dias
2.2K views90 slides
Craftsmanship in Computational Work by
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational WorkYung-Yu Chen
193 views53 slides

Similar to Generic Attack Detection - ph-Neutral 0x7d8(20)

Presentations Unusual Java Bugs And Detecting Them Using Foss Tools by Ganesh Samarthyam
Presentations Unusual Java Bugs And Detecting Them Using Foss ToolsPresentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
Ganesh Samarthyam559 views
Static Analysis Techniques For Testing Application Security - Houston Tech Fest by Denim Group
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group4K views
Javascript Framework Roundup FYB by nukeevry1
Javascript Framework Roundup FYBJavascript Framework Roundup FYB
Javascript Framework Roundup FYB
nukeevry1389 views
Securing Rails by Alex Payne
Securing RailsSecuring Rails
Securing Rails
Alex Payne1.4K views
Polyglot and Poly-paradigm Programming for Better Agility by elliando dias
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agility
elliando dias2.2K views
Craftsmanship in Computational Work by Yung-Yu Chen
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
Yung-Yu Chen193 views
Qure Tech Presentation by sqlserver.co.il
Qure Tech PresentationQure Tech Presentation
Qure Tech Presentation
sqlserver.co.il228 views
Ajax Tutorial by oscon2007
Ajax TutorialAjax Tutorial
Ajax Tutorial
oscon2007605 views
Php Debugging from the Trenches by Simon Jones
Php Debugging from the TrenchesPhp Debugging from the Trenches
Php Debugging from the Trenches
Simon Jones3.5K views
Static-Analysis-in-Industry.pptx by ShivashankarHR1
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptx
ShivashankarHR13 views
Groovy Finance by Jonathan Felch
Groovy FinanceGroovy Finance
Groovy Finance
Jonathan Felch3.4K views
Here Be Dragons – Advanced JavaScript Debugging by FITC
Here Be Dragons – Advanced JavaScript DebuggingHere Be Dragons – Advanced JavaScript Debugging
Here Be Dragons – Advanced JavaScript Debugging
FITC882 views
FITC - Here Be Dragons: Advanced JavaScript Debugging by Rami Sayar
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript Debugging
Rami Sayar1.1K views
OWASP PHPIDS talk slides by guestd34230
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230837 views
Why haven't we stamped out SQL injection and XSS yet by Romain Gaucher
Why haven't we stamped out SQL injection and XSS yetWhy haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yet
Romain Gaucher332 views
Dev and Ops Collaboration and Awareness at Etsy and Flickr by John Allspaw
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
John Allspaw35.6K views
PVS-Studio and static code analysis technique by Andrey Karpov
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
Andrey Karpov840 views
Becoming A Php Ninja by Mohammad Emran Hasan
Becoming A Php NinjaBecoming A Php Ninja
Becoming A Php Ninja
Mohammad Emran Hasan4K views
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire) by Tech in Asia ID
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
Tech in Asia ID657 views
More about PHP by Jonathan Francis Roscoe
More about PHPMore about PHP
More about PHP
Jonathan Francis Roscoe1.8K views

Recently uploaded

MechMaf Shipping LLC by
MechMaf Shipping LLCMechMaf Shipping LLC
MechMaf Shipping LLCMechMaf Shipping LLC
30 views288 slides
Why are KPIs(key performance indicators) important? by
Why are KPIs(key performance indicators) important? Why are KPIs(key performance indicators) important?
Why are KPIs(key performance indicators) important? Epixel MLM Software
10 views17 slides
Building Careers at Specialty TRE 2023 by
Building Careers at Specialty TRE 2023Building Careers at Specialty TRE 2023
Building Careers at Specialty TRE 2023Jennifer Sanborn
42 views22 slides
UCA towards I5.0 OECD.pdf by
UCA towards I5.0 OECD.pdfUCA towards I5.0 OECD.pdf
UCA towards I5.0 OECD.pdfAPPAU_Ukraine
7 views16 slides
INT Value Proposition Partner- Indirect Channel-E.pptx by
INT Value Proposition Partner- Indirect Channel-E.pptxINT Value Proposition Partner- Indirect Channel-E.pptx
INT Value Proposition Partner- Indirect Channel-E.pptxLoadingSystems
10 views19 slides

Recently uploaded(20)

MechMaf Shipping LLC by MechMaf Shipping LLC
MechMaf Shipping LLCMechMaf Shipping LLC
MechMaf Shipping LLC
MechMaf Shipping LLC30 views
Why are KPIs(key performance indicators) important? by Epixel MLM Software
Why are KPIs(key performance indicators) important? Why are KPIs(key performance indicators) important?
Why are KPIs(key performance indicators) important?
Epixel MLM Software10 views
Building Careers at Specialty TRE 2023 by Jennifer Sanborn
Building Careers at Specialty TRE 2023Building Careers at Specialty TRE 2023
Building Careers at Specialty TRE 2023
Jennifer Sanborn42 views
UCA towards I5.0 OECD.pdf by APPAU_Ukraine
UCA towards I5.0 OECD.pdfUCA towards I5.0 OECD.pdf
UCA towards I5.0 OECD.pdf
APPAU_Ukraine7 views
INT Value Proposition Partner- Indirect Channel-E.pptx by LoadingSystems
INT Value Proposition Partner- Indirect Channel-E.pptxINT Value Proposition Partner- Indirect Channel-E.pptx
INT Value Proposition Partner- Indirect Channel-E.pptx
LoadingSystems10 views
Business Process Reengineering (BPR) by Operational Excellence Consulting (Singapore)
Business Process Reengineering (BPR)Business Process Reengineering (BPR)
Business Process Reengineering (BPR)
Operational Excellence Consulting (Singapore)18 views
Cookie Business Plan Example by Jessica Larson
Cookie Business Plan ExampleCookie Business Plan Example
Cookie Business Plan Example
Jessica Larson16 views
terms_2.pdf by JAWADIQBAL40
terms_2.pdfterms_2.pdf
terms_2.pdf
JAWADIQBAL4051 views
Effective Supervisory Skill by Seta Wicaksana
Effective Supervisory SkillEffective Supervisory Skill
Effective Supervisory Skill
Seta Wicaksana14 views
Group and Teams: Increasing Cooperation and Reducing Conflict by Seta Wicaksana
Group and Teams: Increasing Cooperation and Reducing Conflict Group and Teams: Increasing Cooperation and Reducing Conflict
Group and Teams: Increasing Cooperation and Reducing Conflict
Seta Wicaksana17 views
port23_2023121_resize2.pdf by Sivaphan Wuttingam
port23_2023121_resize2.pdfport23_2023121_resize2.pdf
port23_2023121_resize2.pdf
Sivaphan Wuttingam10 views
Presentation on proposed acquisition of leading European asset manager Aermon... by KeppelCorporation
Presentation on proposed acquisition of leading European asset manager Aermon...Presentation on proposed acquisition of leading European asset manager Aermon...
Presentation on proposed acquisition of leading European asset manager Aermon...
KeppelCorporation137 views
Assignment 4: Reporting to Management.pptx by BethanyAline
Assignment 4: Reporting to Management.pptxAssignment 4: Reporting to Management.pptx
Assignment 4: Reporting to Management.pptx
BethanyAline17 views
Leading in A Culture by Seta Wicaksana
Leading in A CultureLeading in A Culture
Leading in A Culture
Seta Wicaksana12 views
Coomes Consulting Business Profile by Chris Coomes
Coomes Consulting Business ProfileCoomes Consulting Business Profile
Coomes Consulting Business Profile
Chris Coomes45 views
PMU Launch - Guaranteed Slides by pmulaunch
PMU Launch - Guaranteed SlidesPMU Launch - Guaranteed Slides
PMU Launch - Guaranteed Slides
pmulaunch15 views
Bloomerang_Forecasting Your Fundraising Revenue 2024.pptx.pdf by Bloomerang
Bloomerang_Forecasting Your Fundraising Revenue 2024.pptx.pdfBloomerang_Forecasting Your Fundraising Revenue 2024.pptx.pdf
Bloomerang_Forecasting Your Fundraising Revenue 2024.pptx.pdf
Bloomerang101 views
Defcon Network.pdf by Jesse Mauck
Defcon Network.pdfDefcon Network.pdf
Defcon Network.pdf
Jesse Mauck14 views
Businesses to Start in 2024.pdf by Dante St James
Businesses to Start in 2024.pdfBusinesses to Start in 2024.pdf
Businesses to Start in 2024.pdf
Dante St James16 views
bookmyshow-1.pptx by 125071035
bookmyshow-1.pptxbookmyshow-1.pptx
bookmyshow-1.pptx
12507103510 views

Generic Attack Detection - ph-Neutral 0x7d8

  • 1. Generic Attack Detection Avoiding blacklisting traps with the PHPIDS A presentation by Mario Heiderich For ph-neutral 0x7d8
  • 2. Who? Mario Heiderich  CSO for ormigo.com in Cologne, Germany  Lead developer / co-founder PHPIDS  Has browsed a lot of sites
  • 3. What?  Attack detection for webapps  Type and weight analysis  The PHPIDS and some of its whereabouts  Generic attack detection vs. plain blacklisting
  • 4. Current Situation  Webapps grow in numbers and complexity  User generated input of all possible kinds  Securing new apps is hard  Securing existing apps is even harder  Difficult to manage the split between usability and security
  • 5. Approaches to deal with Webappsec  Total ignorance (yep – that sumtimes happens...)  Drastic filtering, escaping or senseless validation, right Mr. O'Malley?  Backup & Restore (for real!!1)  WAFs and IDSses  Training and Consulting  Spending a lot of money for useless stuff
  • 6. The open source „market“  mod_security, JWall, HTMLPurifier, Anti-Samy and others  Either very specialized...  ...or entirely based on blacklisting  Sometimes generating vulnerabilities themselves  And sometimes crippling user's input
  • 7. Our approach  Say yes to blacklisting!  Use it to detect, categorize and weight  User input won't be touched  Total freedom of choice for the developer  and... generic attack detection
  • 8. Let's have a look One of the 70 regex rules to detect XSS, SQLi, RCE and many other attack patterns <filter> <rule><![CDATA[(?:^>[ws]*</?w{2,}>)]]></rule> <description>finds unquoted attribute breaking in...</description> <tags> <tag>xss</tag> <tag>csrf</tag> </tags> <impact>2</impact> </filter>
  • 9. Step by step  User generated input coming in  First test to check if the whole detection process is necessary  Conversion process  Detection process  Reporting and optional logging
  • 10. Btw converting...  The converter is capable of normalizing the user's input from several formats  JS Oct, Hex, Unicode and Charcode  UTF7-Shmootf7 (no idea why this still is an issue)  Loads of entities - be they hex, dec, named or others  SQL-, obfuscation- and concatenation patterns...  Evil chars, nullbytes, RTL/LTR chars  Comments, special numeric formats etc. etc. ...
  • 11. Easy implementation Not so hard isn't it? The „doing something smart“-part might be though... and no – replacing the comment by echo $result; or a redirect is not the cleverest way...
  • 12. But there were problems  Exotic vectors omfg noez!!  Superdynamic languages as basis for attack vectors  Ternary obfuscation on acid  Rules getting bloaty by the time  More false alerts then necessary  Performance going down
  • 13. Some friends...  quot;; define ( _a, quot;0008avwga000934mm40re8n5n3aahgqvaga0a303quot;) ; if ( !0) $c = USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC ^ _a; if ( !0) system($c) ;//  aa'<3+1 or+1=+'1--SQLi luvz ya!  a//a'u000aeval(name)  y=<a>eval</a>;content[y](location.hash)
  • 14. Let's go generic!  Plain blacklisting based detection must be extended  Currently exist two plain (some may call 'em weird) but powerful methods  The ratio calculation with a prepended normalization  The centrifuge – normalizing and weighting standard programming language elements
  • 17. ... and the rest
  • 18. Conclusions  Code and thresholds are result of intense testing  Tests are based on about 500 vectors plus several random regular texts to avoid false alerts  Since programming languages have similiarities the centrifuge results do either  Still space left for optimization
  • 19. The future...  Optimization of the existing code  More detection routines  More granular and statistic based weighting and string analysis  Cooperation with several universities and other projects  More verbose demo and result object
  • 20. So...  Suggestions and other input are always welcome  Contact us at any time via our Google Group or forum or via Email or IM or whatever way you feel like  php-ids.org/contact
  • 21. Thanks a lot for listening!