JSON option on false positives
pinhole - June 11, 2009 - 20:54
| Project: | PHPIDS |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Gos77 |
| Status: | closed |
Jump to:
Description
Hallo,
I noticed sometimes many false positives related to jQuery.extend code of the page on my site.
For example:{ "block-user-1": 1, "block-user-0": 1 } will cause it.
.mario at php-ids.org mentioned to make use of the JSON options in config to prevent such a false positives. Are aware of this issue? Any plans related to JSON using modules?
Thanks.
#1
Hello pinhole,
please check out the lates dev-snapshot from tonight and give me feedback. I've added options to add html-included, json-included and complete excluded fields under admin -> settings -> logging -> phpids => filter settings.
Fields could be added comma-seperated (example: body, comment, ...). The given fields are parsed as array into the PHPIDS package.
greetz Gos77
#2
Thanks Gos77. I'll do tests and let you know results somewhat later...
#3
Hallo Gos77,
I made a lot of tests with the new fields, but I do not get the false positives reduced. I guess it deals with the jQuery.extend part in the page. Mainly, parts like { "block-user-1": 1, "block-user-0": 1 } or { "block-user-3": 1, "comments": 1, "block-user-1": 1 } will cause false positive on nearly every page view. I tried it with all fields mentioned (for example block-user-1, block-user, div.block-user), also with body or head in excluded fields. Nothing helps. Any ideas?
Thanks.
#4
Hello pinhole,
are block-user-1 the names of your form input areas? In the fields you can enter the names of your form input areas like body, comment, message, etc. I think you use the wrong form field names. Or you have to use POST.body or REQUEST.body for example.
Could you post a complete example url which cause a false positive?
Greetz Gos77
#5
Hallo Gos77,
An example is:
Typ phpids
Datum Montag, 15. Juni 2009 - 9:49
Benutzer Anonymous
Ort http://for-example.com/drupal/?q=de
Referrer http://for-example.com/drupal/?q=de
Nachricht Total impact: 20
All tags: sqli, id, lfi, xss, csrf, rfe
Variable: collapsiblock | Value: { "block-user-3": 1, "comments": 1, "block-user-1": 1 }
Impact: 20 | Tags: sqli, id, lfi, xss, csrf, rfe
Description: Detects classic SQL injection probings 2/2
Tags: sqli, id, lfi
Description: Detects basic SQL authentication bypass attempts 2/3
Tags: sqli, id, lfi
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection
Tags: xss, csrf, id, rfe, lfi
But, I doubt it deals with form input by user/guests. I guess it deals with jQuery code! I removed today some modules using JQuery/JSON, like Views Accordion, View Cycle and Views Slideshow and the false positives are nearly gone! The rest false positives are explainable so far. Maybe, parts of the Views module itself?
Regarding the form field names to use, I'm still confused. I would appreciate a good example.
Thanks.
#6
Hello pinhole,
here an example with the add new comment form. By default it have two input fields "subject" and "comment" defined by html-attribute name.
<label for="edit-subject">Subject: </label><input type="text" maxlength="64" name="subject" id="edit-subject" size="60" value="" class="form-text" />
</div>
<div class="form-item" id="edit-comment-wrapper">
<label for="edit-comment">Comment: <span class="form-required" title="This field is required.">*</span></label>
<textarea cols="60" rows="15" name="comment" id="edit-comment" class="form-textarea resizable required"></textarea>
To tell PHPIDS to scan these two form fields with included HTML-code add in PHPIDS settings following in the HTML fields:
subject, comment
For your example you can try out "collapsiblock" in the JSON fields under PHPIDS settings.
I hope this explain it a little bit more.
greetz Gos77
#7
Hallo Gos77,
This explanation helps! I put collapsiblock in the JSON field and since then I got no further false positives of this sort:)
A look into collapsiblock.js shows me that this module builds the JSON string stored as a cookie. So, the new fields are necessary to have for those visitors have cookies stored until expire and will cause false positives on each visit/page view.
THANKS a lot for your support!!!
Greetings from Hamburg.
#8
HTML and JSON options are integrated since 6.x-1.9