Security "to go"? 5

I’m a huge fan of PHP-IDS. Mario Heiderich and Christian Matthies did an incredible job polishing this tool, adding new features and trying to catch every esoteric attack signature. However I have the feeling there is some confusion (german) about what intrusion detection is for. On a server, intrusion detection is used to diagnose a break in. First of all you do everything not to let your server go down. You have a firewall, you try not to expose services to the outside, you do SSH with port knocking, you put a risky service into jail or chroots, you use the Suhosin patchset and so on. There are various strategies how to harden a server. The hardening is the barrier against break-in attempts.
If the hell freezes, the intrusion detection mechanism comes into play to make sure the attempt is not overseen and the machine does not become yet another zombie in a bot net. PHP-IDS is an intrusion detection tool on the application level. Application firewalls know about a certain protocol and its structure (e.g. HTTP) and inspect the protocol to detect attack patterns. Some of them are even capable of learning from usual request signatures and enforcing rules based on the learned data. There are various commercial products to achieve application firewalling. PHP-IDS does the same for free and sits directly on the webserver in the scope of the application. For personal usage or projects with a lower budgets who can’t effort expensive products, it might be a good supplement. Beside being a supplement, application firewalls are a valid use when security becomes an urgent problem: a lot of heavily flawed software is designed (often it is not even designed) and developed without a developer even heard about security: “Yes you can inject HTML, that’s a feature!”, “‘ OR true/* lists you every item, isn’t that cool?”. If such projects become popular, application firewalls might be an option to hotfix the disaster. But nevertheless the application needs to be fixed.
The very immanent issue with application firewalls is that there is no other place to know exactly what’s proper incoming data for the application – except in the application itself. That’s why application firewalls can never be perfect. IDS is needed for the 2% the developer forgot. So it is not like coffee to go. It is like having the coffee and adding milk or sugar. Having milk without coffee seems pointless to me anyway.

Filed on 20-05-2008, 21:09 under , , , & five comments & one trackback

Security reporting the productive way 0

This morning I reported an XSS-vulnarability to mugshot. An hour later I got a response, that they are investigating the issue and deploying a fix. Six hours later the fix was deployed and I was notified again. This is exemplary!

Filed on 22-10-2007, 16:04 under , , & no comments & no trackbacks

Preventing cross site scripting by design 4

This is more or less a reply to Dynamic global functions in PHP. My main problems with delegating escaping in the template is the fact, that the people who normally work with templates, are frontend developers and designers. Those who do not and should not care about web security. That is a programmers/architects field. Nobody of the frontend developers should have the possibility to create security level artefacts by accident. So, when a value arrives the template, everything should be done. No special escape-calls should be necessary. I will show you how we do escaping and template value sanitizing at Neu.de. But let’s step through all common models in order to explain, why they are bad. I assume you know the basic MVC-terms, I will use here mostlye view and controller action. First of all, the most common approach. Just assigning variables as-is to the view component:

The second – much better approach – is to escape values before accessing them in the template. This is fine as long as you do not use objects in your templates.

If you have complex, nested objects encapsulating complex business rules, you do not want to convert them to an array to make it possible to escape them afterwards because of speed concerns. So if you pass an object with a method which returns fragile user input, your escaping logic is bypassed. See:

The solution is to wrap assign objects in mock objects. You can easily implement a mock object builder using PHP5s reflection features and create a simple proxy which escapes the return values of every call – or – if an object is returned – wrappes this return object in another mock object. And so on and so on:

Once you implemented that, a) your developers must not care about XSS anymore, they just use the framework and b) you can sleep better at night, because it is not likely probable, that your site is vulnarable against XSS. Sometimes you want to allow HTML-code passing to the template. That’s ok, just give the developer a chance to avoid mocking or escaping. If you want to audit your code for XSS security problems, just grep for the method signature.

Filed on 22-10-2007, 14:02 under , , , , , & four comments & no trackbacks

XSS-exploits filtered by person 0

xssed.com is a directory for XSS-exploits You can submit your exploits and they got listed and – most important – a copy of the exploit is archived. Of course it is a bit a challenge but it is also useful to keep track with the vendor reactions on your exploits. There is one thing missing, a personalized RSS-feed, which just renders the exploits of a certain author. But there is Yahoo Pipes, at the end a pretty impressive program hosting service, which basically provides tools, filters and operators to be chained to remix content. I’ve played around with it months ago, but never had a real usecase. Now I had and I implemented a pipe for creating an newsfeed from xssed.com. As a result, you can follow my exploits on the startpage.

Update xssed.com is currently blocking requests from the user agent Yahoo Pipes 1.0 which I find pretty sad. I try to get in contact with the xssed.com staff.

Filed on 12-10-2007, 01:01 under , , , & no comments & no trackbacks

Planet Websecurity launched 0

Christian Matthies, one of the developers of PHP IDS, launched Planet Websecurity today. Good shit!

Filed on 29-06-2007, 00:12 under , , & no comments & no trackbacks

Easy friend-finding for social retarded 0

Found an XSS-injection on Qype which has enabled a user to inject malicious JavaScript into his profile in order to automatically become a friend of every visitor. As Qype is implemented in Rails they are using Prototype as a JavaScript library which made it pretty easy to implement a fitting exploit:

"><script>new Ajax.Request('/contact/create?to_user_id=16992', {method: 'post'})</script>

Qype has fixed the issue.

Filed on 26-06-2007, 10:10 under , , & no comments & no trackbacks

XSS holes on dapper.net 0

Dapper is a web service which provides webservice creation on the fly. You can create your own APIs, feed etc. by just meshing selected areas from different websites. It is pretty similiar to Yahoo Pipes. Switch/Twitch already pointed out, that dapper completely breaks the same origin policy, which is the basic security concept for rich web applications (it is partly broken by Flash anyway, but this is written on another sheet of paper). But even worse, dapper itself was vulnarable against XSS injections which I found out two weeks ago. The vendor replied quickly and fixed the issues I had demonstrated. The combination of breaking the same origin policy and vulnarabilities on dapper is pretty dangerous. Hopefully the developers really know that they are playing with fire.

Filed on 20-06-2007, 20:08 under , , , , & no comments & no trackbacks

Intrusion detection for PHP 4

A local startup, Ormigo, launched PHP IDS, a PHP-based intrusion detection system. It was written by Mario Heiderich and christ1an (who did the regular expression magic). The outstanding difference to approaches like mod_security is that it is purely PHP-based and can be integrated into your application. It basically takes a user submitted content array ($_POST, $_GET, $_COOKIE) and applies a certain set of regular expressions. When I read about it on Oliver Thylmanns Weblog I was really fascinated by the idea and started playing around with it. I’ve submitted a number of patches and proposals and started a branch to introduce a more convenient result handling which was merged back into the trunk a few hours ago. There will be a release in the next weeks and I’m looking forward on helping to make this project grow up.
Just for the record: after christ1an asked me for whom I’m working for he found a nice XSS on Neu.de which was fixed on monday. Thanks again for the hint, christ1an.

The PHP IDS subversion repository: http://phpids.googlecode.com/svn/trunk/

Filed on 15-05-2007, 22:10 under , , , , , & four comments & no trackbacks

XSS-Sunday 5

So, es ist mal wieder XSS-Sonntag und heute beschäftigen wir uns mit einem gänzlich unbekannten Portal: telefonbuch.de. Ein sehr praktischer Service für das Finden von Telefonnummern, wenn man so ein schlechtes Zahlengedächtnis hat wie ich oder schon immer mal im Seitenkontext von telefonbuch.de JavaScript ausführen wollte. Und das geht so (folgenden String in das Formularfeld »Name/Begriff oder Telefonnummer« einfügen):

';alert ("Manfred Krug" );test= '

Die komisch platzierten Leerzeichen werden benötigt, um den die Normalizer-Komponente ein wenig auszutricksen. Interessant auch, dass die Applikation selbst User-Input richtig handhabt, nicht aber das Werbetag, das hier exploitet wird.

Update 12. März 2007:
Hersteller hat Fehler behoben.

Filed on 04-03-2007, 19:07 under , , , & five comments & no trackbacks

Live vom Webmontag 0

So, gerade nen Vortrag über webnews.de gehört. Ich habe nicht so genau verstanden, was die machen, aber ich habe das da gefunden:


Es scheint so, als hätten sie das Problem behoben. Jetzt warte ich nur noch auf meinen Milchschäumer. Aber ich finde das cool, dass das so schnell ging!

Filed on 22-01-2007, 21:09 under , , , , , , , , & no comments & no trackbacks

Things I don’t really love 5

$database->Execute ("INSERT INTO foo SET baz='".$_POST ['bar']."'");

Filed on 10-03-2006, 11:11 under , , , & five comments & no trackbacks

Calm down 0

Found this bug a few weeks ago but marked it for myself as ugly but uncritical (Hannes will remember, used his blog as test environment). Until today I haven’t changed my mind, because you need a lot of luck to passthrough with this injection. Just a combination of missing Spam-Karma and stupid blog-owner does the thing. So, calm down. Nevertheless: Wordpress is a great bughole, you won’t use it.

Filed on 02-03-2006, 13:01 under , , , , , , & no comments & no trackbacks

Teh Zett-Dee-Eff enttekkt tass Intharweb zwo null 0

Von lauernden Gefahren kann man nun beim ZDF lesen (via Stefan »die coole Sau« Mosel).

Filed on 21-02-2006, 14:02 under , , , , & no comments & no trackbacks

Webmontag Frankfurt 14

»Schon besser« wäre mein Fazit. Nachdem ich zum ersten Webmontag in Köln noch fleißig herumgepöbelt habe, konnte ich es trotzdem nicht lassen, wieder hinzugehen. Diesmal sogar mit eigenem Vortrag (mit fukami) zu Sicherheit im Web 2.0. Angelegt klarzumachen, dass mit dem Paradigmenwechsel von der Content-zentrierten Anwendung hin zur User-zentrierten auch einige neue Gefahren auftauchen, besser gesagt alte Gefahren in neuen Gewändern, und ausgebaut als kleiner Rant über existierende Probleme. Meinen ausdrücklichen Dank an Nico Wilfer für seine Coolness, zwei seiner Projekte als Demoobjekte herzugeben. Glaube nicht, dass das jeder so bringt, danke. Weitere Ergebnisse des Abends: Gerrit van Aaken ist didaktisch durchaus talentiert, sein Vortrag zu Typographie im Netz war spannend, Beate Paland gab eine wirklich gute Einführung (soweit ich das mitbekam) in Ruby on Rails, Moe ist auch live ne coole Sau und: es hat diesmal schon viel mehr Spaß gemacht.

Moe hält uns für nette User, Thomas Wahnhoff sieht unseren Vortrag unter den besten, poocs.de hat Photos, blogwinkel bringt meinen Realname und meinen Nick zusammen, sollte ich gleich verklagen (macht man heute anscheinend so), zu hören gibt es uns auch und die Folien stehen nun auch online (Live, Tarball).

Filed on 07-02-2006, 07:07 under , , , , , , , , , , , , & 14 comments & one trackback

The other side: Security 2.0 alpha 2

Talk on Webmontag is over. Now it’s time to publish some security related issues I found out over the last weeks.

Continue reading "The other side: Security 2.0 alpha"

Filed on 07-02-2006, 00:12 under , , , , , , , , , , & two comments & two trackbacks

Newer Entries ↘