SlideShare une entreprise Scribd logo

OWASP PHPIDS talk slides

G
guestd34230
Technologie
1  sur  35
Télécharger pour lire hors ligne
PHPIDS Monitoring attack surface activity A presentation by Mario Heiderich For OWASP AppSec Europe 2008
Who? Mario Heiderich  CSO for ormigo.com in Cologne, Germany  Lead developer / co-founder PHPIDS  GNUCITIZEN core member
What? Webapp Security – say what! The developers' dilemma Webapp alarm devices Regex black-mæjick Blacklisting 2.0
Tough love <img/ /onerror=“[$y=('al')]&[$z=$y+'ert'] [a=(1?/ev/:0)[-1]+$y]($z)(1)“ src=x> What does this code do? Anyone?
The dilemma Usability vs. Security Insecurity 2.0 One in a million Unaware malignity?
Who knows? Developers and time pressure Complexity – do you really know HTML? JS, SQL, PHP, LDAP, XML, OMG... It's full of ... vectors I don't see it - thus it doesn't exist
Do what now? Install a WAF Appliance? Strip what's looking weird? Employ a logfile monkey? Fallback to static HTML?
Maybe no! PHPIDS detects badness Pricing: 0€ LGPL Slim, fast and... ... tested by security experts all over the world over months
What does it do? Not much, really!
Receiving First of all: The developer defines what to scan.
Converting The input is being analysed, converted and normalized to a certain level before hitting the regular expressions. And the mysterious PHPIDS Centrifuge.
Matching A XML/JSON ruleset covering various attack detection patterns About 70 tagged regex rules XSS, SQLI, RCE, LFI, DT, LDAPInjections, DoS...
Blacklistingmagic Generic attack detection – we will talk about that in some minutes... Meaning the PHPIDS Centrifuge
Reporting As slim as possible An attack was detected... ... a result object is filled with the necessary data
Measuring Any rule carries a numerical impact value. Attack + Matching rules = Overall Impact. <filter> <rule><![CDATA[(?:^>[ws]*</?w{2,}>)]]></rule> <description>finds unquoted attribute breaking in...</description> <tags> <tag>xss</tag> <tag>csrf</tag> </tags> <impact>2</impact> </filter>
Reacting Developers can define reactions based on the impact. Or the tags. Or the matching of one or several certain rules...
Logging Use the integrated loggers – create backend tools like this:
But... Isn't it super slow to pump user input through 70 regular expressions including a massive conversion process – again about 30-40 regular expressions?
Nup Not when dealing with full-stack frameworks like CakePHP, Symphony, ZF or even WordPress
Choosing wisely Nup? Nup! That's due to the caching mechanisms and a pre-selection. 95% of the user input won't even hit the rules and pass as harmless.
But²... What about false alerts? Yes – depending on the application they exist. So the PHIDS sometimes needs some days to learn...
Candy Time! so - what about the PHPIDS Centrifuge?
The Centrifuge Blacklisting alone is useless Say thanks to SQL and JavaScript ale&#x200d;rt(1) aa' ^+ -(0) + -(0) = '0 Unlimited ways of obfuscating payload
Know your foe So what characterizes an attack? Special chars! Loads of them!
Let's see.. if (strlen($value) > 25) { // Check for the attack char ratio $stripped_length = strlen( preg_replace('/[wsp{L}.,/]*/ms', null, $value)); $overall_length = strlen( preg_replace('/w{3,}/', '123', preg_replace('/s{2,}/ms', null, $value))); if($stripped_length != 0 && $overall_length/$stripped_length <= 3.5) { $value .= quot;n$[!!!]quot;; } }
There's more... if (strlen($value) > 40) { // Replace all non-special chars $converted = preg_replace('/[wsp{L}]/', null, $value); // Split string into an array, unify and sort $array = str_split($converted); $array = array_unique($array); asort($array); // Normalize certain tokens $schemes = array( '~' => '+', '^' => '+', '|' => '+', '*' => '+', '%' => '+', '&' => '+', '/' => '+' );
... and done! $converted = implode($array); $converted = str_replace(array_keys($schemes), array_values($schemes), $converted); $converted = preg_replace('/[+-]s*d+/', '+', $converted); $converted = preg_replace('/[()[]{}]/', '(', $converted); $converted = preg_replace('/[!?,.:=]/', ':', $converted); $converted = preg_replace('/[^:(+]/', null, stripslashes($converted)); // Sort again and implode $array = str_split($converted); asort($array); $converted = implode($array); if (preg_match('/(?:({2,}+{2,}:{2,})|(?:({2,}+{2,}:+)|' . '(?:({3,}++:{2,})/', $converted)) { return $value . quot;nquot; . $converted; } }
The tests tell us... ...that almost all real world attacks, JS worms, SQL Injection exploits and other stuff are detected by the PHPIDS Centrifuge. Those who weren't detected got caught by the rules.
Btw.. the tests! PHPIDS is unit tested, regression tested and community driven. Please don't have a look the test files!
Back to our friend...
So... The PHPIDS detects attacks. Developers can choose on how to react. The PHPIDS knows them weird encodings and charsets. It's free and OSS. It's community driven 60 Members, ~1000 Posts in the various testing threads
Plus It's in use on dozens of real hightraffic sites. neu.de, shoppero.com, astalavista.com, ormigo.com, doccheck.com, sevenload.de...
10x guys! The PHPIDS core members, Gareth Heyes, David Lindsay, Eduardo Vela, Kishor, Giorgio Maone, Reiners, Ronald, tx, kuza55, the guys from schokokeks.org and so many others!
Questions? Now's the time to ask! Else you would have to check the whitepaper for yourself – or drop me a line or post to the group or the forum or check sla.ckers.org.
Thanks a lot for listening!

Recommandé

Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)James Titcumb
 
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)James Titcumb
 
(Parameterized) Roles
(Parameterized) Roles(Parameterized) Roles
(Parameterized) Rolessartak
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
Methods of debugging - Atomate.net
Methods of debugging - Atomate.netMethods of debugging - Atomate.net
Methods of debugging - Atomate.netVitalie Chiperi
 
Introduction to TypeScript
Introduction to TypeScriptIntroduction to TypeScript
Introduction to TypeScriptAndré Pitombeira
 
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)James Titcumb
 
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)James Titcumb
 

Recommandé

Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)James Titcumb
 
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)James Titcumb
 
(Parameterized) Roles
(Parameterized) Roles(Parameterized) Roles
(Parameterized) Rolessartak
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
Methods of debugging - Atomate.net
Methods of debugging - Atomate.netMethods of debugging - Atomate.net
Methods of debugging - Atomate.netVitalie Chiperi
 
Introduction to TypeScript
Introduction to TypeScriptIntroduction to TypeScript
Introduction to TypeScriptAndré Pitombeira
 
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)James Titcumb
 
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)James Titcumb
 
Building fast interpreters in Rust
Building fast interpreters in RustBuilding fast interpreters in Rust
Building fast interpreters in RustIngvar Stepanyan
 
Your code is not a string
Your code is not a stringYour code is not a string
Your code is not a stringIngvar Stepanyan
 
Starting Out With PHP
Starting Out With PHPStarting Out With PHP
Starting Out With PHPMark Niebergall
 
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020Andrew Lavers
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confooDamien Seguy
 
Cdexpert
CdexpertCdexpert
CdexpertCompaniaDekartSRL
 
Campaña sucia en Mendoza
Campaña sucia en MendozaCampaña sucia en Mendoza
Campaña sucia en MendozaMario Guillermo Simonovich
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Defensive Coding Crash Course Tutorial
Defensive Coding Crash Course TutorialDefensive Coding Crash Course Tutorial
Defensive Coding Crash Course TutorialMark Niebergall
 
Slides
SlidesSlides
Slidesvti
 
P6 OO vs Moose (&Moo)
P6 OO vs Moose (&Moo)P6 OO vs Moose (&Moo)
P6 OO vs Moose (&Moo)lichtkind
 
Qore for the Perl Programmer
Qore for the Perl ProgrammerQore for the Perl Programmer
Qore for the Perl ProgrammerBrett Estrade
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHPAnthony Ferrara
 
Living with garbage
Living with garbageLiving with garbage
Living with garbagelucenerevolution
 
Tt subtemplates-caching
Tt subtemplates-cachingTt subtemplates-caching
Tt subtemplates-cachingValeriy Studennikov
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 
Groovy on the Shell
Groovy on the ShellGroovy on the Shell
Groovy on the Shellsascha_klein
 
Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1n|u - The Open Security Community
 
Security @ work
Security @ workSecurity @ work
Security @ workguestd34230
 
Phorum MySQL tricks
Phorum MySQL tricksPhorum MySQL tricks
Phorum MySQL tricksguestd34230
 

Contenu connexe

Tendances

Building fast interpreters in Rust
Building fast interpreters in RustBuilding fast interpreters in Rust
Building fast interpreters in RustIngvar Stepanyan
 
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020Andrew Lavers
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confooDamien Seguy
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Defensive Coding Crash Course Tutorial
Defensive Coding Crash Course TutorialDefensive Coding Crash Course Tutorial
Defensive Coding Crash Course TutorialMark Niebergall
 
Slides
SlidesSlides
Slidesvti
 
P6 OO vs Moose (&Moo)
P6 OO vs Moose (&Moo)P6 OO vs Moose (&Moo)
P6 OO vs Moose (&Moo)lichtkind
 
Qore for the Perl Programmer
Qore for the Perl ProgrammerQore for the Perl Programmer
Qore for the Perl ProgrammerBrett Estrade
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHPAnthony Ferrara
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 
Groovy on the Shell
Groovy on the ShellGroovy on the Shell
Groovy on the Shellsascha_klein
 

Tendances (20)

Building fast interpreters in Rust
Building fast interpreters in RustBuilding fast interpreters in Rust
Building fast interpreters in Rust
 
Your code is not a string
Your code is not a stringYour code is not a string
Your code is not a string
 
Starting Out With PHP
Starting Out With PHPStarting Out With PHP
Starting Out With PHP
 
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
Redis is not just a cache, Andrew Lavers, ConFoo Montreal 2020
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confoo
 
Cdexpert
CdexpertCdexpert
Cdexpert
 
Campaña sucia en Mendoza
Campaña sucia en MendozaCampaña sucia en Mendoza
Campaña sucia en Mendoza
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
 
Defensive Coding Crash Course Tutorial
Defensive Coding Crash Course TutorialDefensive Coding Crash Course Tutorial
Defensive Coding Crash Course Tutorial
 
Slides
SlidesSlides
Slides
 
P6 OO vs Moose (&Moo)
P6 OO vs Moose (&Moo)P6 OO vs Moose (&Moo)
P6 OO vs Moose (&Moo)
 
Qore for the Perl Programmer
Qore for the Perl ProgrammerQore for the Perl Programmer
Qore for the Perl Programmer
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHP
 
Living with garbage
Living with garbageLiving with garbage
Living with garbage
 
Tt subtemplates-caching
Tt subtemplates-cachingTt subtemplates-caching
Tt subtemplates-caching
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday Developer
 
Groovy on the Shell
Groovy on the ShellGroovy on the Shell
Groovy on the Shell
 
Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1
 

En vedette

Phorum MySQL tricks
Phorum MySQL tricksPhorum MySQL tricks
Phorum MySQL tricksguestd34230
 
PresentacióN1
PresentacióN1PresentacióN1
PresentacióN1sandracpa
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Clusterguestd34230
 
Lifelong Learning and Museums
Lifelong Learning and MuseumsLifelong Learning and Museums
Lifelong Learning and MuseumsLynda Kelly
 
CONVIVENCIA
CONVIVENCIACONVIVENCIA
CONVIVENCIAguisse21
 

En vedette (7)

Security @ work
Security @ workSecurity @ work
Security @ work
 
Phorum MySQL tricks
Phorum MySQL tricksPhorum MySQL tricks
Phorum MySQL tricks
 
PresentacióN1
PresentacióN1PresentacióN1
PresentacióN1
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Cluster
 
Palabras
PalabrasPalabras
Palabras
 
Lifelong Learning and Museums
Lifelong Learning and MuseumsLifelong Learning and Museums
Lifelong Learning and Museums
 
CONVIVENCIA
CONVIVENCIACONVIVENCIA
CONVIVENCIA
 

Similaire à OWASP PHPIDS talk slides

Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security LLC
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
node.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Servernode.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the ServerDavid Ruiz
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebMikel Torres Ugarte
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applicationschartjes
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimizationGood practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimizationPrestaShop
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Automated code audits
Automated code auditsAutomated code audits
Automated code auditsDamien Seguy
 
DDD on example of Symfony (SfCampUA14)
DDD on example of Symfony (SfCampUA14)DDD on example of Symfony (SfCampUA14)
DDD on example of Symfony (SfCampUA14)Oleg Zinchenko
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 

Similaire à OWASP PHPIDS talk slides (20)

Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
node.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Servernode.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Server
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo Web
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimizationGood practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Automated code audits
Automated code auditsAutomated code audits
Automated code audits
 
DDD on example of Symfony (SfCampUA14)
DDD on example of Symfony (SfCampUA14)DDD on example of Symfony (SfCampUA14)
DDD on example of Symfony (SfCampUA14)
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 

Dernier

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

OWASP PHPIDS talk slides

  • 1. PHPIDS Monitoring attack surface activity A presentation by Mario Heiderich For OWASP AppSec Europe 2008
  • 2. Who? Mario Heiderich  CSO for ormigo.com in Cologne, Germany  Lead developer / co-founder PHPIDS  GNUCITIZEN core member
  • 3. What? Webapp Security – say what! The developers' dilemma Webapp alarm devices Regex black-mæjick Blacklisting 2.0
  • 4. Tough love <img/ /onerror=“[$y=('al')]&[$z=$y+'ert'] [a=(1?/ev/:0)[-1]+$y]($z)(1)“ src=x> What does this code do? Anyone?
  • 5. The dilemma Usability vs. Security Insecurity 2.0 One in a million Unaware malignity?
  • 6. Who knows? Developers and time pressure Complexity – do you really know HTML? JS, SQL, PHP, LDAP, XML, OMG... It's full of ... vectors I don't see it - thus it doesn't exist
  • 7. Do what now? Install a WAF Appliance? Strip what's looking weird? Employ a logfile monkey? Fallback to static HTML?
  • 8. Maybe no! PHPIDS detects badness Pricing: 0€ LGPL Slim, fast and... ... tested by security experts all over the world over months
  • 9. What does it do? Not much, really!
  • 10. Receiving First of all: The developer defines what to scan.
  • 11. Converting The input is being analysed, converted and normalized to a certain level before hitting the regular expressions. And the mysterious PHPIDS Centrifuge.
  • 12. Matching A XML/JSON ruleset covering various attack detection patterns About 70 tagged regex rules XSS, SQLI, RCE, LFI, DT, LDAPInjections, DoS...
  • 13. Blacklistingmagic Generic attack detection – we will talk about that in some minutes... Meaning the PHPIDS Centrifuge
  • 14. Reporting As slim as possible An attack was detected... ... a result object is filled with the necessary data
  • 15. Measuring Any rule carries a numerical impact value. Attack + Matching rules = Overall Impact. <filter> <rule><![CDATA[(?:^>[ws]*</?w{2,}>)]]></rule> <description>finds unquoted attribute breaking in...</description> <tags> <tag>xss</tag> <tag>csrf</tag> </tags> <impact>2</impact> </filter>
  • 16. Reacting Developers can define reactions based on the impact. Or the tags. Or the matching of one or several certain rules...
  • 17. Logging Use the integrated loggers – create backend tools like this:
  • 18. But... Isn't it super slow to pump user input through 70 regular expressions including a massive conversion process – again about 30-40 regular expressions?
  • 19. Nup Not when dealing with full-stack frameworks like CakePHP, Symphony, ZF or even WordPress
  • 20. Choosing wisely Nup? Nup! That's due to the caching mechanisms and a pre-selection. 95% of the user input won't even hit the rules and pass as harmless.
  • 21. But²... What about false alerts? Yes – depending on the application they exist. So the PHIDS sometimes needs some days to learn...
  • 22. Candy Time! so - what about the PHPIDS Centrifuge?
  • 23. The Centrifuge Blacklisting alone is useless Say thanks to SQL and JavaScript ale&#x200d;rt(1) aa' ^+ -(0) + -(0) = '0 Unlimited ways of obfuscating payload
  • 24. Know your foe So what characterizes an attack? Special chars! Loads of them!
  • 25. Let's see.. if (strlen($value) > 25) { // Check for the attack char ratio $stripped_length = strlen( preg_replace('/[wsp{L}.,/]*/ms', null, $value)); $overall_length = strlen( preg_replace('/w{3,}/', '123', preg_replace('/s{2,}/ms', null, $value))); if($stripped_length != 0 && $overall_length/$stripped_length <= 3.5) { $value .= quot;n$[!!!]quot;; } }
  • 26. There's more... if (strlen($value) > 40) { // Replace all non-special chars $converted = preg_replace('/[wsp{L}]/', null, $value); // Split string into an array, unify and sort $array = str_split($converted); $array = array_unique($array); asort($array); // Normalize certain tokens $schemes = array( '~' => '+', '^' => '+', '|' => '+', '*' => '+', '%' => '+', '&' => '+', '/' => '+' );
  • 27. ... and done! $converted = implode($array); $converted = str_replace(array_keys($schemes), array_values($schemes), $converted); $converted = preg_replace('/[+-]s*d+/', '+', $converted); $converted = preg_replace('/[()[]{}]/', '(', $converted); $converted = preg_replace('/[!?,.:=]/', ':', $converted); $converted = preg_replace('/[^:(+]/', null, stripslashes($converted)); // Sort again and implode $array = str_split($converted); asort($array); $converted = implode($array); if (preg_match('/(?:({2,}+{2,}:{2,})|(?:({2,}+{2,}:+)|' . '(?:({3,}++:{2,})/', $converted)) { return $value . quot;nquot; . $converted; } }
  • 28. The tests tell us... ...that almost all real world attacks, JS worms, SQL Injection exploits and other stuff are detected by the PHPIDS Centrifuge. Those who weren't detected got caught by the rules.
  • 29. Btw.. the tests! PHPIDS is unit tested, regression tested and community driven. Please don't have a look the test files!
  • 30. Back to our friend...
  • 31. So... The PHPIDS detects attacks. Developers can choose on how to react. The PHPIDS knows them weird encodings and charsets. It's free and OSS. It's community driven 60 Members, ~1000 Posts in the various testing threads
  • 32. Plus It's in use on dozens of real hightraffic sites. neu.de, shoppero.com, astalavista.com, ormigo.com, doccheck.com, sevenload.de...
  • 33. 10x guys! The PHPIDS core members, Gareth Heyes, David Lindsay, Eduardo Vela, Kishor, Giorgio Maone, Reiners, Ronald, tx, kuza55, the guys from schokokeks.org and so many others!
  • 34. Questions? Now's the time to ask! Else you would have to check the whitepaper for yourself – or drop me a line or post to the group or the forum or check sla.ckers.org.
  • 35. Thanks a lot for listening!