ansaurus

Question

Detecting exploits in web applications and how to proceed

Answer 1

+1 A:

just use strip_tags() on all $_REQUEST and $_COOKIE vars to take care of code showing up in these vars, as for SQL you would have to maybe write up a query-like regex or something, but this shouldnt be an issue as you should always mysql_real_escape_string($str) all variables in your queries. try something like this though.

function look_for_code_and_mail_admin($str) {
    $allowed_tags = "<a>,<br>,<p>";
    if($str != strip_tags($str, $allowed_tags)) {
        $send_email_to = "[email protected]";
        $subject = "some subject";
        $body = "email body";
        mail($send_email_to,$subject,$body);   
    }
    return($str);
}

seventeen 2010-02-08 21:48:25

I know how to protect my application from exploits, I just want to catch any users who try to intentionally break it and cause harm. Considering how many different kinds of exploits there are I don't think a single regex will do the job.

TheMagician 2010-02-08 21:52:55

Using escaping to defend against SQL injection is really the wrong way; parameterized queries (i.e. the mysqli functions/classes is much safer

Michael Borgwardt 2010-02-08 21:53:39

you're right they're both tough to call, especially sql injection. Even the function I just offered would turn up positive if someone put in a < b> tag and didn't know it wasn't allowed.

seventeen 2010-02-08 21:55:41

Answer 2

+1 A:

Your question is twofold and I'll answer the second part.

Log everything but do not ban or display any message. It will be embarrassing in case of a false positive. As a general rule, try to build an application that can deal with any sort of user input without a problem.

cherouvim 2010-02-08 21:49:01

Answer 3

A:

Seems like too much work with the email bit and everything to me. Aside from that, I like to run around on sites I commonly use and try to find injectable points so I can warn the administrator about it. Would you IP ban me for that?

I suggest hunting down the exploitable parts yourself and sanitizing where necessary. Acunetix has a very very good program for that. If you don't feel like shelling out the giant price for Acunetix, there are some very good firefox addons called XSS Me and SQL Inject me you might want to look into.

Rob 2010-02-08 21:50:02

How could I distinguish you from a user who is trying to hack into the application and steal every user's information? If I notice someone running exploits in my application I want to stop that user from proceeding if he eventually happens to succeed.

TheMagician 2010-02-08 21:57:25

Well, thats the thing, you can't distinguish from me and a malicious user. You also wouldn't be able to distinguish from a malicious user and a normal user just accidentally typing the wrong thing. You'd need to set something so that if they did it more than once or twice, or even five times, THEN it activates the anti-exploit. So I guess if you're really worried about it, then you'd need to set the thing in place, but I still suggest just hunting down the exploits and sanitizing it yourself.

Rob 2010-02-08 22:01:45

-1 If you are using secure programming methodologies, you don't need the false security that is Acuntex.

Longpoke 2010-04-22 18:29:28

Answer 4

+2 A:

Three things come to mind:

defensive coding, sanitize all input, prepare sql statements and use Suhosin
increase security of your site by breaking into it with a vulnerability scanner
log hacking attemtps with an Intrusion Detection System

If you feel a full fledged IDS is too much, try PHP IDS, as it does pretty much what you are asking for out of the box. Note that detecting intrusions at the PHP level might already be too late though to prevent an attack.

In case of a successful intrusion, I guess your best bet is taking the server offline and see what damage was done. You might have to consider hiring someone to do a forensic analysis of the machine in case you need to collect legally usable evidence.

If you feel you need to react to unsuccessful intrusion attempts and got the malicious user's IP, find out the ISP and inform him with as much details of the intrusion attempt as possible. Most ISPs have an abuse contact for these cases.

Gordon 2010-02-08 22:03:04

Answer 5

A:

Um, I can't remember the last time I've seen a site that tries to log SQL injection attacks that I wasn't able to penetrate..

You don't need to worry about weather someone is attacking the site, as it is subjective at best as to weather something is an attack or not. What if the site base64 encodes some values and decodes them before it uses it? Your IDS is not going to catch that. What if a user wants to post a snippet of code, it gets detected as an exploit because it contains SQL? This is such a waste of time... If you really need to know if someone's attacking you, just install some IDS on a seperate machine with readonly access to the incoming traffic.. I say seperate machine, because many IDS are vulnerable themselves, and will only make the situation worse.

Use standard secure programming methodologies, use paramaterized SQL queries or an ORM.

Longpoke 2010-04-22 18:28:06

ansaurus

tags:

views:

answers:

Detecting exploits in web applications and how to proceed

related questions