PHPIDS
Developer(s) | Mario Heiderich, Christian Matthies, Lars H. Strojny |
---|---|
Stable release | 0.7[1] / August 26, 2011 |
Development status | Active |
Written in | PHP |
Operating system | Cross-platform |
License | LGPL |
Website | http://phpids.org/ |
PHPIDS (PHP Intrusion Detection System) is an open source PHP Web Application Intrusion Detection System. It was written by Mario Heiderich, Christian Matthies, Lars H. Strojny and several others in March 2007. It was then ported into other frameworks later on,[2][3][4][5][6] and distributed under the LGPL License.
Goal
The main goal is to give every PHP programmer the ability of finding intrusion data coming from client to php web application. Speed up PHP application development by reducing the amount of time and money needed to spend on application security.
Features
PHPIDS detects Cross-site scripting (XSS), SQL injection, header injection, Directory traversal, Remote File Execution, Local File Inclusion, Denial of Service (DoS). It is simple to use and well structured. It provides impact of every attack by analyzing any chosen input variables as POST, GET, SESSION, COOKIE.
Forks to other Software
PHPIDS module adds a security layer for Drupal [7]
Mute Screamer - is a WordPress plugin based on PHPIDS [8]
PHPIDS Extension for MediaWiki developed [9]
ZIDS - PHPIDS module developed to add extra security to Zend Framework Applications [10]
px_phpids - an extension developed for Typo3 based on PHPIDS [11]
dotnetids - a similar project as PHPIDS to secure ASP.NET Applications written in vb.net [12]
ModSecurity is a web application layer firewall uses the PHPIDS default filter rules in their packages.[13]
Criticism
PHPIDS tries to apply several regular expressions to detect known bad. By doing so, it basically applies the blacklist approach, combined with efforts to detect unknown patterns by applying heuristics. Any blacklist approach can be criticised to fail detecting currently unknown bad, and this approach requires the administrator of any application to constantly update this library to stay current with new attack vectors.
Furthermore, using PHPIDS as the primary means of application security will lead developers into wrongly assume their product is safe, which might not be correct. Additionally, the output of a PHPIDS check is not a binary value, but rather some integer value of unclear significance, which has to be evaluated by the developer, and then apply appropriate steps in the context of the application. The positive side of this method is that the developer has to think about which level of attack value he thinks is appropriate, but on the other hand any single attack, even with low impact value, might help compromise the applications security.
A better approach would be to apply secure programming tactics independent of any IDS system and create a secure application. Adding PHPIDS on top of that might enable the application to detect malicious users, possibly tagging them as being evil, and alert the administrator or log any attacks detected for later review. These steps have to be added by the application developers themselves, as PHPIDS does not offer such features.
Detecting possible attacks via regular expressions has a slight performance penalty on the application.[14]
See also
References
- ↑ https://phpids.org/2011/08/26/phpids-0-7-%E2%80%9Dsummer-breeze%E2%80%9D-is-out/
- ↑ "Zend Framework Intruder Detection System". Retrieved 2011-02-20.
- ↑ "MediaWiki Extension". Retrieved 2011-02-20.
- ↑ "TYPO3 Security / Intrusion Detection System". Retrieved 2011-02-20.
- ↑ "Mute Screamer - PHPIDS for WordPress". Retrieved 2011-02-20.
- ↑ "dotnetids - Intrusion detection system for .NET based on phpids". Retrieved 2011-02-20.
- ↑ "PHPIDS module for drupal". Retrieved 2011-02-20.
- ↑ "Mute Screamer - PHPIDS for WordPress". Retrieved 2011-02-20.
- ↑ "MediaWiki Extension". Retrieved 2011-02-20.
- ↑ "Zend Framework Intruder Detection System". Retrieved 2011-02-20.
- ↑ "TYPO3 Security / Intrusion Detection System". Retrieved 2011-02-20.
- ↑ "dotnetids - Intrusion detection system for .NET based on phpids". Retrieved 2011-02-20.
- ↑ "ModSecurity Core Rule Set (CRS) <-> PHPIDS Smoketest". Retrieved 2011-03-06.
- ↑ "PHPIDS - Monitoring attack surface activity". Retrieved 2011-02-20.