I was checking the Planet WebSec feed this morning (BTW, Christ1an must have something personal against me, as he told me he was about to add my blog one month ago…)

Latest post was this “So you think you’re a hacker?” by Gareth Heyes, which in turn tracked back to this “7 minutes to kill a monster” by my friend Eduardo Vela, AKA Sirdarckcat.

Both were about a sort of (un?)official challenge to find XSS vectors capable of bypassing the famous PHPIDS tool, a game both Sirdarckcat and I already found quite funny in the beginning of past July and, according to Mario Heiderich, helped him in hardening his PHPIDS filters.

At any rate, Sirdarckcat’s post ended like this:

I’m sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors

Wow, so there’s a party and sounds like I’m officially invited ;)

OK, let’s bring in some beer:

  1. a=eval,b=(name);a(b)
  2. a=open,b=(name);a(b)
  3. a=setTimeout,b=(name);a(b)

Notice that — quite obviously — you will need to disable NoScript (or at least disable its anti-XSS protection and allow both hackademix.org and php-ids.org), if you want to get some joy from the links above.

Cheers :)

8 Responses to “PHPIDS Threesome”

  1. #1 Gareth Heyes says:

    Nice!

    The biggest compliment I can pay you and Sirdarkcat is that I won’t enable javascript looking at your sites LOL.

    I was also wondering why your site wasn’t included in the Planet Web Security. Come on Christ1an, you know he deserves to be on there.

  2. #2 christ1an says:

    Thanks for your feedback. I have absolutely no clue why these vectors slip through our rules as I ‘ve tried it before about 2 million times the same way. Consider them fixed. ;)

    Ah and, be sure I don’t have anything against you. It’s just that I tend to forget about such things. You’re added now but I’ll release a new version of the planet next weekend anyway.

    Hey could you provide a feed that contains the full text of your entries?

  3. #3 .mario says:

    Fixed, fixed and fixed!

    I guess Christian just forgot - no offense intended at all. BTW - he just added your blog as far as I can see ;)

    Greetings’n'thx!

  4. #4 Giorgio says:

    @Gareth Heyes:
    thanks, that’s why I didn’t post comments on your blog anymore — not that a GreaseMonkey script couldn’t do the trick, but enabling JS just to post a comment is against my faith ;)

    @christ1an:
    thanks for the addition, I changed the feed to “full content” — no big deal now, since I enabled both transparent gzip compression and caching for all the blog content…

    @.mario:
    Thanks for the challenge. Let me know when you’re ready for SQL Injections!

  5. #5 sirdarckcat says:

    is it just me, or sla.ckers is a little forgotten?
    now we post on each other blogs xD
    I was wondering why today I got some refers from planet-websecurity.org, and (I thought I was added to the feed, but.. no hehe) well.. the PHPIDS hacking (un?)official contest is on (again).

    As ma1 said, the SQL Injection filters are a little forgotten, but we should have a sandbox to test (as the script tags in php-ids), any way..

    Greetz!!

    PS. the window.name trick rules xD

  6. #6 .mario says:

    @Giorgio: Will do!

    @SirDarckCat: Yep - you’re right. I’ve been switching between three blogs during fixing the rules and doing some daily business ;)

    An SQL Injection sandbox is pretty hard to build but I will see what I can do this weekend. It will most probably built on my Server and not on the PHPIDS box. The problem though remains only that there can only be a limited amount of DBMS which makes the results pretty unsharp.

  7. #7 sirdarckcat says:

    mario:
    you can use http://free-mysql.bizhostnet.com/ — maybe add a table with a username and password xD
    I think that with mysql is more than enough :P

    Greetz!!

  8. #8 .mario says:

    Thanks for the info SIrDarckCat! I will put this link into the Google Group this weekend to discuss this option with the team..

    Greetings,
    .mario

Bad Behavior has blocked 4394 access attempts in the last 7 days.