PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications

Use Netsparker

Another protection for those building website and web applications, as it’s the the most common attack vector nowadays I think it’s important to be extra safe on this front.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for your domain. Last but not least it’s licensed under the LGPL!

It’s a fairly mature product with some good documentation (docs are here) and it’s easily to programmatically grab the latest version of the filter rules (it’s just an xml file).

You can see a demo here were you can try some injections or XSS and see the warnings.

Download the latest version of PHPIDS here:

PHPIDS 0.4.6 zip
PHPIDS 0.4.6 tar.gz

There are other versons for Drupal and WordPress on the download page.

Or read more here.

Posted in: Countermeasures, Security Software, Web Hacking

, , , , ,

Latest Posts:

Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.

12 Responses to PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications

  1. eM3rC February 12, 2008 at 8:42 am #

    Wow amazing program. Definitely gonna add this when I do my next site.

  2. Pantagruel February 12, 2008 at 5:18 pm #

    Indeed a very sane addition to any server running PHP coded software
    (even something silly as a photo album or so)

  3. anonymous February 16, 2008 at 7:04 pm #

    I don’t get the point of using such a packet. Why not just go to the root of the problem and make your code secure in the first place?

    I believe the more code there is, the more insecure your application will be. I always try to keep my code as simple as possible.

  4. eM3rC February 16, 2008 at 8:51 pm #

    Its always good to keep the code as simple and secure as possible but there’s one things that is always true no matter what code it is. There will always be mistakes. Unless you have decades of experience for programming php securely it wont hurt to add more stuff. There are also some unknown techniques for hacking which you may not be aware of when you write the code.

    One can never be to safe.

  5. zupakomputer February 17, 2008 at 7:06 pm #

    That’s the thing: no matter how well you know any language or instruction set, chances are someone else will know more, and someones else that know less will have cracking tools that can exploit whatever you wrote.
    That’s likely true even if you wrote the language itself – there’ll be some machine code or assembley-based way of altering it.

  6. Darknet February 17, 2008 at 8:15 pm #

    According to the wisdom of ‘anonymous’ we wouldn’t need anti-virus, intrusion detection, firewalls….hell let’s just get rid of the whole security industry and simply ask everyone to code properly!

  7. eM3rC February 17, 2008 at 10:38 pm #

    Couldn’t be more true. There will always be a weakness no matter what you do.

    Lets do all of that and rid the world of disease and hunger!

  8. anonymous February 18, 2008 at 12:43 am #

    My box runs neither a firewall, anti-virus or some sort of intrusion detection. And it has never been compromised in its 4 years of uptime. On average, it serves about 1400 HTTP requests daily.

    I can agree that you may need extra protection in case you do not have the experience, but personally I would never run such an injection detection system on anything. I think it will only give the programmer a false sense of security, which will mosy likely result in other security checks beeing ignored.

  9. Darknet February 18, 2008 at 8:30 am #

    anonymous: I never implied YOU needed it, nor did I say I needed it but does that means it’s not required? I have a feeling you are young. If you’ve ever worked on a reasonably complex problem (more than 100k lines of code) you would know mistakes happen, multiple people are working on the same thing and you need multiple layers of defence (AV/Firewall/Reverse Proxy/IDS/Application Layer Protection etc.). And this tool in particular is an IDS not an IPS anyway so it doesn’t protect you from anything, it just tells you what people are trying to do. The first step of being secure is understanding the threat :)

  10. zupakomputer February 18, 2008 at 10:01 pm #

    Hey, that’s an info-gathering attempt on the slow-witted – claiming your web servers never been hacked and it’s there, naked, waiting…..

  11. Pantagruel February 18, 2008 at 10:50 pm #


    Humor us, share the url/IP. There will be enough people about to point out why certain safety measures can be very helpfull. Just because your box, to your knowledge, hasn’t been p0wned doesn’t mean it won’t be p0wned some time soon (or is under p0wnage right now).
    In general the rule applies, the better you can test the perimeter security of your server, the fewer the amount of possible holes and the smaller the chance of being hacked/compromised.

  12. zupakomputer February 18, 2008 at 11:01 pm #

    One way to stay secure and not use any protection of course is to not advertise your sites and not have any keywords in them, block robots, and so forth; and also do all your own websurfs from a completely other machine with no details of the Siren computer refered to.