Wednesday, March 26, 2008

PHP IDS and Web application firewalls

| Armando Romeo |

PHPIDS is by far the best in its field. It offers the features of an IDS for php applications, it's completely open source,  free and customizable. Rules are easily added through a handy xml file.
Although it has not been yet released a mature/stable version I noticed a good interest from the community. I am not sure if it is due to webmasters laziness, or the benefits PHPIDS can  bring to the overall web application security.



The risk with such kind of tool is to think that it is going to solve all kind of security problems. Want to say it now. It is *just* another layer of security
and will never be as effective as a real source code audit or vulnerability assessment.

Web application firewalls or IDS are still far from being an ultimate solution and probably they will never reach this stage as much as network firewall do not solve all network security problems.

Moreover, I see a bit of confusion in terminology about WAFs. In networking field firewall is something working on connection basis. That is you determine a traffic pattern using wildcards and then apply some rule to it.
WAFs available now act mainly like IDS instead.


Attacks on web applications are held through HTTP, that is Application layer. We are going to filter according to user (malicious) input, not user connection to forbidden ports/ip. So the name Waf is just incorrect.

PHPIDS is just on this task. You can choose to inspect GET, POST, SESSION and COOKIE and match user input with  an xml defintion file which off-the-shelf offers a good protection level against XSS, RFI, LFI, Sql injection.

I personally don't think at it as a safety feature even if without any doubt it adds some real benefit.

I take it as a way to understand where attacks are coming from and where
they are going to: it makes it easy to trace malicious attempts, instead of plumbing logs for attacking payloads.

According to impact level you can choose wether to log it on file or have a detailed report mailed to you.
Stats on hacking attempts against hackerscenter clearly show that I would end up with a DoS against my mail box if I enable this feature ;) .
Logging to database is my favourite solution.

I'm testing PHPIDS locally on Joomla and attacking it with pen testing tools to see what's catched and what not.
Will show my results and maybe a quick guide on how to install phpids in my next blog post...


Free Security Magazines