All geek questions in one place

Detecting exploits in web applications and how to continue them

What are the ways to detect exploits in PHP / MySQL web applications (checking certain characters or code fragments in GET, POST, COOKIE / arrays using a library with a database that has all the templates for common exploits, if any exist)? and how should I act when it is discovered?

For example, if someone tried to find the SQL injection in my PHP / MySQL web application using the GET request method, should I store the action performed by the user in the database, ask the application to send me an email, IP forbids the user and displays him message “Sorry, but we detected a malicious action on your account that will be considered. Your account has been disabled and some functions may be disabled from your IP address. If this is a mistake, please email us with E details. "

Thanks.

+4
source share
5 answers

Three things come to mind:

If you feel that a full-fledged IDS is too large, try PHP IDS , as this is pretty much what you are asking for out of the box. Note that intrusion detection at the PHP level may be too late to prevent an attack.

In the event of a successful invasion, I believe your best bet is to shut down the server and see what damage has been done. You may need to consider hiring someone to conduct a forensic examination of the machine if you need to collect legally valid evidence.

If you feel that you need to respond to unsuccessful intrusion attempts and obtain a malicious IP address of the user, find out the Internet provider and tell him as much details as possible about the intrusion attempt. Most Internet service providers have abuse contact for these cases.

+2
source

just use strip_tags () for all $ _REQUEST and $ _COOKIE vars to take care of the code appearing in these vars, since for SQL you would need to write a query-like regular expression or something like that, but it shouldn't to be as always you should mysql_real_escape_string ($ str) of all the variables in your queries. try something like this.

function look_for_code_and_mail_admin($str) { $allowed_tags = "<a>,<br>,<p>"; if($str != strip_tags($str, $allowed_tags)) { $send_email_to = " some@bodys.email "; $subject = "some subject"; $body = "email body"; mail($send_email_to,$subject,$body); } return($str); }
+1
source

Your question is twofold, and I will answer the second part.

Record everything, but do not ban or display any messages. It will be embarrassing in case of false positive. Generally, try to create an application that can work with any input user without problems.

+1
source

Um, I don’t remember the last time I saw a site trying to log SQL injection attacks that I couldn’t infiltrate.

You do not need to worry about the weather when someone attacks the site, because at best it is subjective, because the weather is an attack or not. What if a base64 site encodes some values ​​and decodes them before it uses it? Your IDS will not catch it. What if a user wants to publish a piece of code, it is detected as an exploit because it contains SQL? It's such a waste of time ... If you really need to know if someone has attacked you, just install some IDS on a separate machine with read-only access to incoming traffic. I am talking about a separate machine, because many IDS themselves are vulnerable, and only worsen the situation.

Use standard secure programming methodologies; use programmed SQL queries or ORM.

0
source

It seems too much work with the email bit and that's it for me. In addition, I like to run around the sites that I usually use, and try to find injection points so that I can warn the administrator about this. Would you ban me an IP for this?

I propose to hunt for exploited parts on their own and to disinfect where necessary. Acunetix has a very good program for this. If you don't like pounding the gigantic price for Acunetix, there are some very good Firefox add-ons called XSS Me and SQL Inject me that you might want to explore.

-1
source

Source: https://habr.com/ru/post/1300679/

More articles:


All Articles