The PHP Grind

Tutorial: An Introduction to PHPIDS (PHP-Intrusion Detection System)

After several weeks of work Mario Heiderich, Lars Strojny and of course myself released the
first stable versions of the PHPIDS - currently at version 0.2.2.

You will find the project site on http://php-ids.org/

In this article I would like to present our framework and explain how it can be used, hoping
that developers consider it useful to make their application more secure.

The PHPIDS is a system that is meant to be an additional layer of security for any PHP based
website or web application. In fact, this layer does not filter input - that would be a task
for different layers - but it makes sure that no potential attack against the application
goes unnoticed.

Based on a collection of heavily tested regular expressions the PHPIDS is able to efficiently
recognize, classify and ultimately react on many different kinds of attacks - including,
besides others, XSS, SQL injection, directory traversal, String.fromCharcode attacks,
halfwidth/fullwidth encoding attacks and remote code execution. Due to its flexible and easy
configuration the PHPIDS reaction will happen in exactly the way the developer intends.

The integration is as simple as can be. Besides PHP 5.2 the only necessary extension is
SimpleXML and the following code:

[php]
set_include_path('../../lib/');
require_once 'IDS/Monitor.php';
require_once 'IDS/Filter/Storage.php';

try {

// instanciate the storage object and fetch the rules
$storage = new IDS_Filter_Storage();
$storage->getFilterFromXML(’../../lib/default_filter.xml’);

/*
* Instanciate the IDS and start the detection
*
* here we are using $_GET but you can pass any
* array you want like $_SERVER, $_SESSION etc.
*/
$get = new IDS_Monitor($_GET, $storage);
$report = $get->run();

if (!$report->isEmpty()) {

// Get the overall impact
echo “Impact: {$report->getImpact()}n”;

// Get array of every tag used
echo ‘Tags: ‘ . join(’, ‘, $report->getTags()) . “n”;

// Iterate through the report and get every event (IDS_Event)
foreach ($report as $event) {
echo “Variable: {$event->getName()} | Value: {$event->getValue()}n”;
echo “Impact: {$event->getImpact()} | Tags: ” . join(”, “, $event->getTags()) . “n”;

// Iterator throught every filter
foreach ($event as $filter) {
echo “Description: {$filter->getDescription()}n”;
echo “Tags: ” . join(”, “, $filter->getTags()) . “n”;
}
}
}

/*
* Additionally you have the option to store the detected
* data using IDS_Log_Composite and for example IDS_Log_File
*/
require_once ‘../../lib/IDS/Log/File.php’;
require_once ‘../../lib/IDS/Log/Composite.php’;

$compositeLog = new IDS_Log_Composite();
$compositeLog->addLogger(
IDS_Log_File::getInstance(’log.txt’)
);

if (!$report->isEmpty()) {
$compositeLog->execute($report);
}

} catch (Exception $e) {
printf(
‘An error occured: %s’,
$e->getMessage()
);
}
?>
[/php]

Ideally the PHPIDS should be included in a central position of the application or even better
via auto_prepend_file. If an attack takes place the IDS result object will be returned filled
with data and the programmer can decide the appropriate reaction. For the most part decisions
about the reaction are dependent on the detected attacks’ cumulative impact.

The impact variable acts as an indicator for an attack’s severity and can be used to grade the
application’s reaction on that attack. For example, if the impact was 3, an appropriate response
might be to log the issue in a file, whereas if the impact was around 12, a warning mail to the
site owner might be more applicable whilst an impact of 24 or above might print out a message
to the attacker stating that his intrusion attempt has been detected and request aborted.

The PHPIDS is heavily tested via phpUnit and profiles via xdebug meaning that you can expect
a minimal performance hit to your applications. We are currently using the PHPIDS with great
success on several high traffic sites; ormigo.com and neu.de being the two foremost examples
of this. Documentation and support is available on the project site or via our forum. Future
development for the PHPIDS will possibly rank around detection of fragmented XSS and enhanced
detection of heavily encoded attack vectors.

For users of .NET there’s the .NETIDS written by Martin Hinks which is a port of the PHPIDS
and uses the same filter rules. You will find any related resources on the .NETIDS project
page (http://code.google.com/p/dotnetids/). Support for the .NETIDS is also available in the PHPIDS forum.

Regards, Christian Matthies & Mario Heiderich

Continue Reading · Add comment

Zend Developer Zone: PHP Abstract Episode 5: Using the Zend Toolbars For Debugging & Profiling Apps

The Zend Developer Zone has posted their latest edition of their podcast - PHP Abstract. In this episode Yossi Leno looks at using the Zend Toolbars to work in your applications.

Our special guest for this episode of the PHP Abstract podcast is Yossi is the product manager for the development tools group at Zend. He is going to talk to us today about using the Zend Browser Toolbars for Debugging and Profiling your applications.

There’s two ways to get the new show - download it directly or subscribe to their feed and get the latest ones hand delivered. They’ve also started a new program to help bring in more community input into the podcast (oh, and they pay too - $75) for making your contribution.

Continue Reading · Add comment

Charles Rowe’s Blog: The Four Major Benefits of MySQLi

Charles Rowe shares four reasons/benefits he’s come up with that should make you think about choosing MySQLi over the normal MySQL libraries for PHP for your application.

There still seems to be a lot of confusion over the differences between the two extensions despite the length of time that mysqli has been in the wild. I wanted to briefly review the four major benefits of mysqli.

Here’s the list

• Prepared Statements
• Secure MySQL connections
• Multi query
• Object Oriented Interface

He also includes a few more links to further information (besides the explanation for each of the topics listed above) including an article from the Zend Developer Zone and a tutorial covering making the switch to MySQLi.

Continue Reading · Add comment

Community News: phpMyAdmin 2.10.2 Released

As mentioned by php|architect, the phpMyAdmin group has released the latest version of their popular database management package - phpMyAdmin 2.10.2.

This release is bugfixes only, no new features and corrects around 20 bugs that have been found in previous versions. If you’re running an older version, it’s suggested that you update, but there’s no immediate need (no larger security issues or the like).

Continue Reading · Add comment

Wiadomosc.info: phpQuery - jQuery port for PHP

A new project has been pointed out to us today - phpQuery, a port of jQuery to PHP:

phpQuery is PHP-port of well known and great web2.0 JS library, which jQuery is. It’s not something like JQPie, which is form of JS code generator and server-client layer.

They include a short example of adding content to a page (a new list element) that uses the DOM extension in PHP5 to make the action happen. You can check out the library as a part of their plainTemplate package.

Continue Reading · Add comment