Which order for IDS and sanitizing/input filtering?

Hello,

i have the following procedure in my HttpRequest class and i’m wondering if this is a good approach.

  1. $_REQUEST is unset.
  2. phpIDS is run, and if an attack is detected, the application exits.
  3. If no attack is detected, the access to $_GET, $_POST and $_COOKIES is abstracted.
    So $_GET is reassigned to $parametersGET and accessible via getParameterFromGet().
    Same for the others.

When do i have to sanitize?
Which library to take? htmlawed, htmlpurifier?
There is also a common method named removeXSS() around.
Does is make any sense to apply removeXSS() before phpIDS is run?
Do you handle such security stuff in your request class?

Regards, v

You sanitize the $_GET $POST and $_COOKIES values immidietly after you extract them from those arrays and before saving them anywhere else so $parametersGET etc should contain the sanitized data.

Get rid of PHPIDS and get a real IPS (Intrusion Prevention System). An IDS or IPS should be along side a hardware firewall. Its pointless having one on the web server. and one ran in PHP no less. Need to catch this stuff before it gets to the web server, not after.

Ok, i’m sanitizing and then IDS is run.
$parametersGET = sanitizeArray($_GET);

Is it a good practice to unset $_GET and $_POST and only work with the abstracted arrays?

@logic earth
Yes, that makes sense. For performance reasons too.
If you write it like that, my next question is very foreseeable.
I think that you are not refering to something like Apache’s mod_security.
Which system is a real IPS? Which products and setup do you use?

What i see is that, not even professional web service providers have such an IDS/IPS for their consumers…

Isn’t this moving my responsibility of ensuring that my application is safe against XSS to the user?
I could say: Hey, i’ve not secured this application, because one should use a real IPS.
So if you suffer from injections, its not a flaw of my app, it’s a flaw of your environment…

Regards, v

I have a hardware IPS the sits in line with my hardware firewall. The internet connection goes though both of these before it gets onto the network.

Isn’t this moving my responsibility of ensuring that my application is safe against XSS to the user? … So if you suffer from injections, its not a flaw of my app, it’s a flaw of your environment…
No, you don’t move responsibility at all. The problem is, you are using this PHPIDS thing as blanket security. You do not understand what is doing or how it does it. You are just throwing it in and hoping it makes your application secure.

Instead you should be understanding the attack vectors that can be used and where against your application. Then secure those pieces accordingly. Trying to throw a blanket over everything is extremely inefficient, prone to errors, hard to track bugs, and less understanding of the application and its threats.

Not everything is an attack vector for XSS, not everything is an attack vector for SQL Injection. And so on.

The problem is, you are using this PHPIDS thing as blanket security. You do not understand what is doing or how it does it. You are just throwing it in and hoping it makes your application secure.
I believe that my application is installed into a non secured environment.
And i’m using phpIDS as a reporting tool to the admin, to inform him about that circumstance.
When phpIDS reports an attack, it means that the environment is not secured.
Thats the main message.

phpIDS is a tool for frontdoor checks on incomming data. It’s a scanning tool.
There is no sanitizing, nothing. If the user has an hardware IPS he might even disable phpIDS.
For the majority of sql/xss attack vectors its a good, but not perfect solution.
And I think it’s rare to you find a fully-fledged XSS attack not detected by it.

It’s not about blanket security… Look at “magic_quotes”, that whole concept
failed and is removed, because it’s not possible to secure globally and without knowledge of the context of the usage of the incoming data.

Instead you should be understanding the attack vectors that can be used and where against your application. Then secure those pieces accordingly.
Please elaborate a bit more on the attack vectors which i have to understand… Which pieces need to be secured accordingly?

Regards, v