SlideShare ist ein Scribd-Unternehmen logo

Generic Attack Detection - ph-Neutral 0x7d8

Mario Heiderich
Mario Heiderich
BusinessTechnologie
1 von 21
Downloaden Sie, um offline zu lesen
Generic Attack Detection Avoiding blacklisting traps with the PHPIDS A presentation by Mario Heiderich For ph-neutral 0x7d8
Who? Mario Heiderich  CSO for ormigo.com in Cologne, Germany  Lead developer / co-founder PHPIDS  Has browsed a lot of sites
What?  Attack detection for webapps  Type and weight analysis  The PHPIDS and some of its whereabouts  Generic attack detection vs. plain blacklisting
Current Situation  Webapps grow in numbers and complexity  User generated input of all possible kinds  Securing new apps is hard  Securing existing apps is even harder  Difficult to manage the split between usability and security
Approaches to deal with Webappsec  Total ignorance (yep – that sumtimes happens...)  Drastic filtering, escaping or senseless validation, right Mr. O'Malley?  Backup & Restore (for real!!1)  WAFs and IDSses  Training and Consulting  Spending a lot of money for useless stuff
The open source „market“  mod_security, JWall, HTMLPurifier, Anti-Samy and others  Either very specialized...  ...or entirely based on blacklisting  Sometimes generating vulnerabilities themselves  And sometimes crippling user's input
Our approach  Say yes to blacklisting!  Use it to detect, categorize and weight  User input won't be touched  Total freedom of choice for the developer  and... generic attack detection
Let's have a look One of the 70 regex rules to detect XSS, SQLi, RCE and many other attack patterns <filter> <rule><![CDATA[(?:^>[ws]*</?w{2,}>)]]></rule> <description>finds unquoted attribute breaking in...</description> <tags> <tag>xss</tag> <tag>csrf</tag> </tags> <impact>2</impact> </filter>
Step by step  User generated input coming in  First test to check if the whole detection process is necessary  Conversion process  Detection process  Reporting and optional logging
Btw converting...  The converter is capable of normalizing the user's input from several formats  JS Oct, Hex, Unicode and Charcode  UTF7-Shmootf7 (no idea why this still is an issue)  Loads of entities - be they hex, dec, named or others  SQL-, obfuscation- and concatenation patterns...  Evil chars, nullbytes, RTL/LTR chars  Comments, special numeric formats etc. etc. ...
Easy implementation Not so hard isn't it? The „doing something smart“-part might be though... and no – replacing the comment by echo $result; or a redirect is not the cleverest way...
But there were problems  Exotic vectors omfg noez!!  Superdynamic languages as basis for attack vectors  Ternary obfuscation on acid  Rules getting bloaty by the time  More false alerts then necessary  Performance going down
Some friends...  quot;; define ( _a, quot;0008avwga000934mm40re8n5n3aahgqvaga0a303quot;) ; if ( !0) $c = USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC ^ _a; if ( !0) system($c) ;//  aa'<3+1 or+1=+'1--SQLi luvz ya!  a//a'u000aeval(name)  y=<a>eval</a>;content[y](location.hash)
Let's go generic!  Plain blacklisting based detection must be extended  Currently exist two plain (some may call 'em weird) but powerful methods  The ratio calculation with a prepended normalization  The centrifuge – normalizing and weighting standard programming language elements
Let's see..
There's more...
... and the rest
Conclusions  Code and thresholds are result of intense testing  Tests are based on about 500 vectors plus several random regular texts to avoid false alerts  Since programming languages have similiarities the centrifuge results do either  Still space left for optimization
The future...  Optimization of the existing code  More detection routines  More granular and statistic based weighting and string analysis  Cooperation with several universities and other projects  More verbose demo and result object
So...  Suggestions and other input are always welcome  Contact us at any time via our Google Group or forum or via Email or IM or whatever way you feel like  php-ids.org/contact
Thanks a lot for listening!

Empfohlen

The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 

Empfohlen

The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
An overview of node.js
An overview of node.jsAn overview of node.js
An overview of node.js
valuebound
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
CTruncer
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Clean Code
Clean CodeClean Code
Clean Code
ISchwarz23
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff
 
Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss ToolsPresentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
Ganesh Samarthyam
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 

Was ist angesagt? (20)

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
 
An overview of node.js
An overview of node.jsAn overview of node.js
An overview of node.js
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Clean Code
Clean CodeClean Code
Clean Code
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 

Ähnlich wie Generic Attack Detection - ph-Neutral 0x7d8

Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss ToolsPresentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
Ganesh Samarthyam
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Javascript Framework Roundup FYB
Javascript Framework Roundup FYBJavascript Framework Roundup FYB
Javascript Framework Roundup FYB
nukeevry1
 
Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agility
elliando dias
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
Yung-Yu Chen
 
Ajax Tutorial
Ajax TutorialAjax Tutorial
Ajax Tutorial
oscon2007
 
Here Be Dragons – Advanced JavaScript Debugging
Here Be Dragons – Advanced JavaScript DebuggingHere Be Dragons – Advanced JavaScript Debugging
Here Be Dragons – Advanced JavaScript Debugging
FITC
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript Debugging
Rami Sayar
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
Tech in Asia ID
 

Ähnlich wie Generic Attack Detection - ph-Neutral 0x7d8 (20)

Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss ToolsPresentations Unusual Java Bugs And Detecting Them Using Foss Tools
Presentations Unusual Java Bugs And Detecting Them Using Foss Tools
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Javascript Framework Roundup FYB
Javascript Framework Roundup FYBJavascript Framework Roundup FYB
Javascript Framework Roundup FYB
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agility
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
 
Qure Tech Presentation
Qure Tech PresentationQure Tech Presentation
Qure Tech Presentation
 
Ajax Tutorial
Ajax TutorialAjax Tutorial
Ajax Tutorial
 
Php Debugging from the Trenches
Php Debugging from the TrenchesPhp Debugging from the Trenches
Php Debugging from the Trenches
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptx
 
Groovy Finance
Groovy FinanceGroovy Finance
Groovy Finance
 
Here Be Dragons – Advanced JavaScript Debugging
Here Be Dragons – Advanced JavaScript DebuggingHere Be Dragons – Advanced JavaScript Debugging
Here Be Dragons – Advanced JavaScript Debugging
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript Debugging
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
 
Why haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yetWhy haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yet
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Becoming A Php Ninja
Becoming A Php NinjaBecoming A Php Ninja
Becoming A Php Ninja
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
 
More about PHP
More about PHPMore about PHP
More about PHP
 

Kürzlich hochgeladen

Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 

Kürzlich hochgeladen (20)

Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 

Generic Attack Detection - ph-Neutral 0x7d8

  • 1. Generic Attack Detection Avoiding blacklisting traps with the PHPIDS A presentation by Mario Heiderich For ph-neutral 0x7d8
  • 2. Who? Mario Heiderich  CSO for ormigo.com in Cologne, Germany  Lead developer / co-founder PHPIDS  Has browsed a lot of sites
  • 3. What?  Attack detection for webapps  Type and weight analysis  The PHPIDS and some of its whereabouts  Generic attack detection vs. plain blacklisting
  • 4. Current Situation  Webapps grow in numbers and complexity  User generated input of all possible kinds  Securing new apps is hard  Securing existing apps is even harder  Difficult to manage the split between usability and security
  • 5. Approaches to deal with Webappsec  Total ignorance (yep – that sumtimes happens...)  Drastic filtering, escaping or senseless validation, right Mr. O'Malley?  Backup & Restore (for real!!1)  WAFs and IDSses  Training and Consulting  Spending a lot of money for useless stuff
  • 6. The open source „market“  mod_security, JWall, HTMLPurifier, Anti-Samy and others  Either very specialized...  ...or entirely based on blacklisting  Sometimes generating vulnerabilities themselves  And sometimes crippling user's input
  • 7. Our approach  Say yes to blacklisting!  Use it to detect, categorize and weight  User input won't be touched  Total freedom of choice for the developer  and... generic attack detection
  • 8. Let's have a look One of the 70 regex rules to detect XSS, SQLi, RCE and many other attack patterns <filter> <rule><![CDATA[(?:^>[ws]*</?w{2,}>)]]></rule> <description>finds unquoted attribute breaking in...</description> <tags> <tag>xss</tag> <tag>csrf</tag> </tags> <impact>2</impact> </filter>
  • 9. Step by step  User generated input coming in  First test to check if the whole detection process is necessary  Conversion process  Detection process  Reporting and optional logging
  • 10. Btw converting...  The converter is capable of normalizing the user's input from several formats  JS Oct, Hex, Unicode and Charcode  UTF7-Shmootf7 (no idea why this still is an issue)  Loads of entities - be they hex, dec, named or others  SQL-, obfuscation- and concatenation patterns...  Evil chars, nullbytes, RTL/LTR chars  Comments, special numeric formats etc. etc. ...
  • 11. Easy implementation Not so hard isn't it? The „doing something smart“-part might be though... and no – replacing the comment by echo $result; or a redirect is not the cleverest way...
  • 12. But there were problems  Exotic vectors omfg noez!!  Superdynamic languages as basis for attack vectors  Ternary obfuscation on acid  Rules getting bloaty by the time  More false alerts then necessary  Performance going down
  • 13. Some friends...  quot;; define ( _a, quot;0008avwga000934mm40re8n5n3aahgqvaga0a303quot;) ; if ( !0) $c = USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC ^ _a; if ( !0) system($c) ;//  aa'<3+1 or+1=+'1--SQLi luvz ya!  a//a'u000aeval(name)  y=<a>eval</a>;content[y](location.hash)
  • 14. Let's go generic!  Plain blacklisting based detection must be extended  Currently exist two plain (some may call 'em weird) but powerful methods  The ratio calculation with a prepended normalization  The centrifuge – normalizing and weighting standard programming language elements
  • 17. ... and the rest
  • 18. Conclusions  Code and thresholds are result of intense testing  Tests are based on about 500 vectors plus several random regular texts to avoid false alerts  Since programming languages have similiarities the centrifuge results do either  Still space left for optimization
  • 19. The future...  Optimization of the existing code  More detection routines  More granular and statistic based weighting and string analysis  Cooperation with several universities and other projects  More verbose demo and result object
  • 20. So...  Suggestions and other input are always welcome  Contact us at any time via our Google Group or forum or via Email or IM or whatever way you feel like  php-ids.org/contact
  • 21. Thanks a lot for listening!