Malseven Blog

PHPIDS in CodeIgniter by using Hook

2010-03-24T15:52:00.021+08:00

I have been busy for a while, especially with programming stuffs and some personal things. Recently I look into the XSS filtering in CodeIgniter. There is a quick configuration to protect your application from all XSS attack. It is powerful but you will certainly need to put in some extra logic to suit your own needs, for example if you have rich text input or textarea in your web application that only allows certain characters.

I found out there is a PHP script which can be used to block malicious inputs (both XSS and SQL Injection typical strings) effectively - PHPIDS. I was thinking to integrate it into my CI web application later on. Download the file from the site and extract all the files into a directory in the root directory of your CI web application'directory.

NOTE: Make sure you add the redirect rule to phpids in your .htaccess file which can be found in CI's directory.

The question is -> do I still need to add codes to validate the inputs on each and every of my web forms? In this case, using the Hooks in CI will save up your development time. So I set up a post_controller_constructor hook in my CI web application.

First I create a file called PHPIDSHook.php in System->Application->Hooks directory.

PHPIDSHook.php - Source Code



require_once (dirname(__FILE__) . '/../../../phpids/lib/IDS/Init.php');

class PHPIDSHook
{
 function run()
 {
  $request = array($_GET, => $_GET, 'POST' => $_POST);

  $init = IDS_Init::init(dirname(__FILE__) . '/../../../phpids/lib/IDS/Config/Config.ini.php');

  $init->config['General']['base_path'] = '/phpids/lib/IDS/';
  $init->config['General']['filter_type'] = 'xml';
  $init->config['Caching']['caching'] = 'none';

  // Initiate the PHPIDS and fetch the results
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty())
  {
   require_once (dirname(__FILE__) . '/../../../phpids/lib/IDS/Log/File.php');
   require_once (dirname(__FILE__) . '/../../../phpids/lib/IDS/Log/Composite.php');

   $compositeLog = new IDS_Log_Composite();
   $compositeLog->addLogger(IDS_Log_File::getInstance($init));
   $compositeLog->execute($result);

   echo "WARNING: XSS/SQL Injection attack is detected!";
   exit();
  }
 }

}
?>

Next you will need to set your hook setting by modifying hooks.php which is located in System->Config->Hooks. Add these line of codes into that file:


$hook['post_controller_constructor'] = array(
                             'class'    => 'PHPIDSHook',
                             'function' => 'run',
                             'filename' => 'PHPIDSHook.php',
                             'filepath' => 'hooks',
                             );

Finally, go to System->Config->Config.php to set
$config['enable_hooks'] = TRUE;

You have done it. To verify your CI's hooking is working, put any XSS or SQL injection string in any input field of your web form. You should get a alert box by now.

Cheers!
Signing off...

Introduction to PDF Exploits

2009-10-28T14:55:00.016+08:00

Before we look into PDF Exploits, we should see the basic structure of a typical PDF document. I spent quite some time to really deep into this. Basically the PDF document consists of four important parts which are the header, body, cross-reference tables (XREF tables) and also trailers.

Header are the placeholder for the document's information. The body consists of stream of objects which are actually forms the visible objects on the PDF document. They are the forms, buttons, etc. on the document. The XREF tables contain an object reference and byte offset in the body stream which provide access to the objects without the need to read the entire file. And, trailer provides the means for locating the XREF table, document root catalog dictionary, and other objects. That's the basic explanation for those elements.

What are the streams? They are objects which consist of a sequence of bytes. These bytes are the text/binary data like embedded images or any other media objects in the document. The interesting part is they can be compressed or encoded! There are several types of encoding algorithm such as

FlateDecode
ASCIIHexDecode
ASCII85Decode
LZWDecode
RunLengthDecode
CCITTFaxDecode
JBIG2Decode
DCDTDecode
, etc.

Those are the filters that the malware writers will use to conceal their payloads inside the innocent PDF. These encoding algorithms also can be combined. Most of the malware writers embed shell codes inside the PDF's stream objects so that they are more difficult to be detected by antivirus.

What we could see is just some raw bytes inside the streams. Flash objects also can be embedded inside the PDF documents.

So if one day you suddenly receive a PDF, don't simply open it. Scan with antivirus before opening it. Alternatively, you can use Foxit PDF Reader to view the PDF as most of the PDF exploits are targeting Adobe PDF Reader's users.

My PGP Key

2009-10-27T14:55:00.000+08:00

My new PGP public key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.12 (MingW32)

mQGiBEql74cRBACAPQRa7j2XpY7tMgYWDOTymkyZlfwkymLBxepsSM3F+PCXVf3A
bVhD0ACCHgs9kwYBzmIm/8fL12BPRYiG4z1Gq/b2fXFnJzl+UTuKDVjyV3rgaEcE
M42698stVC7VwP/ncNHzw3NfIKRsMbP2idwn962mCBu9vj7j8Gs8IjAUxwCg8ImD
frVkfbkmdF1ZAH7n2q4nLf0D/3QfUpufTZRIISul9en5jgYAR//z88HqrhGiMB+6
6N5X/hZ0UqDolgdQ2wR0rXkhmwJLBpw9mTj6jTThquunhPsPvMvwNlKzzpvV+low
Row3sVeg88xRle7xvc89fQZs1rQq/pE0IghDkxdjY9bfPsbcrFaLA8+Ns9d/borp
L8j7A/0X6otgqcdq1W7TW+vQRi+96LgPZA0EVVyj+FXj1KOB9A+K8gkzQx4ovDIe
4Jar17XATgQ63uJeGPL0hiv+8M1atykaldBYU28f22XAE9T+s6ozGjgROtE3QD7Z
M1ZoVI6cC7BV7c0oQAD8CTQSyqjk1CBN+vYZx+C5J8Kx8/rnEbQvTWljaGFlbCBM
aW0gQ2hvb24gSG9uZyA8bGltY2hvb25ob25nQGdtYWlsLmNvbT6IYgQTEQIAIgUC
SqXvhwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ/hP28ml1enwTEgCg
smVLqYUx0T8EIqHc17t47nF9WHUAn238MnX062e6wZfUBisf6noYPcV7uQENBEql
74cQBACifHv76a3bM8WJdYAI9Qhl1kxSB3FPkRfkYFDOsp1GsRE0hul5gjf34230
LKCA7DAlcUGLAg5JGFFxySPufd3w2QMNU42+8w2QVjRWmyGyDBnim+6x4ShcfDHF
GWn8JoXjrgAEzHhBUjh9KV3vSxjcnxah3kXyGDzboaw6f8WY6wADBQP/YH2zXkjI
xJ5gCw36NV8PQCuVq7vo+BNf0dLVUEek5d2EKZNuDhNEK17tgwBM1AwIaRP7aG4o
Rhds1NAIy4f5P//UXJpqFIX2eHNgPA6+LOx18Nnne+GnGMCNl0Jl/NQ9z/y8n60j
sxYUvBOpq+3pKCtOpYbbq7mSkyDSErv1iDeISQQYEQIACQUCSqXvhwIbDAAKCRD+
E/byaXV6fJSCAJ4kuMVTHKiUljFC1nVBM0cDFWoMVQCeIb7+6pKdY5DdmvtGY9+K
+rF0UII=
=t6qa
-----END PGP PUBLIC KEY BLOCK-----