PHPIDS
Encyclopedia
PHPIDS is an open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

 PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...

 Web Application Intrusion Detection System. It was written by Mario Heiderich, Christian Matthies, Lars H. Strojny and several others in March 2007. It was then ported into other frameworks later on, and distributed under the LGPL License.

Goal

The main goal is to give every PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...

 programmer the ability of finding intrusion data coming from client to php web application. Speed up Php application development by reducing the amount of time and money needed to spend on application security.

Features

PHPIDS detects Cross-site scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...

 (XSS
XSS
XSS may refer to:*Cross-site scripting, a vulnerability in web applications which attackers may exploit to steal users' information*XSS file, a Microsoft Visual Studio Dataset Designer Surface Data file*Assan language, has the ISO 639-3 code xss...

), SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...

, header injection, Directory traversal
Directory traversal
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs....

, Remote File Execution, Local File Inclusion, Denial of Service (DoS), LDAP. It is simple to use and well structured. It provides impact of every attack by analyzing any chosen input variables as POST
Post
-Mail:* Mail, the postal system, especially in Commonwealth of Nations countries* Post, an entry in a blog or internet forum - see posting style-Newspapers and magazines:* New York Post, USA* The Washington Post, USA...

, GET
Get
Get or GET may refer to:*Get , the offspring of an animal*Get , legal issues around the Jewish divorce procedure*Get , the Jewish divorce procedure...

, SESSION, COOKIE
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...

.

Forks to other Software

PHPIDS module adds a security layer for Drupal
Drupal
Drupal is a free and open-source content management system and content management framework written in PHP and distributed under the GNU General Public License. It is used as a back-end system for at least 1.5% of all websites worldwide ranging from personal blogs to corporate, political, and...

 

Mute Screamer - is a Wordpress
WordPress
WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. It is often customized into a content management system . It has many features including a plug-in architecture and a template system. WordPress is used by over 14.7% of Alexa Internet's "top 1...

 plugin based on PHPIDS

PHPIDS Extension for Mediawiki
MediaWiki
MediaWiki is a popular free web-based wiki software application. Developed by the Wikimedia Foundation, it is used to run all of its projects, including Wikipedia, Wiktionary and Wikinews. Numerous other wikis around the world also use it to power their websites...

 developed

ZIDS - PHPIDS module developed to add extra security to Zend Framework
Zend Framework
Zend Framework is an open source, object-oriented web application framework implemented in PHP 5 and licensed under the New BSD License.-Licensing:...

 Applications

px_phpids - an extension developed for Typo3
TYPO3
TYPO3 is a free and open source web content management framework. It is released under the GNU General Public License. It can run on several web servers, such as Apache or IIS, on top of many operating systems, among them Linux, Microsoft Windows, FreeBSD, Mac OS X and OS/2.-History:TYPO3 was...

 based on PHPIDS

dotnetids - a similar project as PHPIDS to secure ASP.NET
ASP.NET
ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages ...

 Applications written in vb.net



ModSecurity
ModSecurity
ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.- External links :**...

is a web application layer firewall uses the PHPIDS default filter rules in their packages.

Criticism

PHPIDS tries to apply several regular expressions to detect known bad. By doing so, it basically applies the blacklist approach, combined with efforts to detect unknown patterns by applying heuristics. Any blacklist approach can be criticised to fail detecting currently unknown bad, and this approach requires the administrator of any application to constantly update this library to stay current with new attack vectors.

On the other hand, using PHPIDS as the primary means of application security will lead developers into wrongly assume their product is safe, which might not be correct. Additionally, the output of a PHPIDS check is not a binary value, but rather some integer value of unclear significance, which has to be evaluated by the developer, and then apply appropriate steps in the context of the application. The positive side of this method is that the developer has to think about which level of attack value he thinks is appropriate, but on the other hand any single attack, even with low impact value, might help compromise the applications security.

A better approach would be to apply secure programming tactics independent of any IDS system and create a secure application. Adding PHPIDS on top of that might enable the application to detect malicious users, possibly tagging them as being evil, and alert the administrator or log any attacks detected for later review. These steps have to be added by the application developers themselves, as PHPIDS does not offer such features.

Detecting possible attacks via regular expressions has a slight performance penalty on the application.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK