---
layout: post
status: publish
published: true
title: PHP IDS

wordpress_id: 287
wordpress_url: http://pro.grammatic.org/post-php-ids-12.aspx
date: !binary |-
  MjAwNy0wNS0xNiAxMToxODowMCArMDIwMA==
date_gmt: !binary |-
  MjAwNy0wNS0xNiAxMToxODowMCArMDIwMA==
categories:
- Technology
- InfoSec
- PHP
tags:
- information security
- PHP
- XSS
comments: []
---
<p>For those who haven't yet seen this, <a href="http://mario.heideri.ch/" title=".mario's blog">.mario</a> and <a href="http://christ1an.blogspot.com/" title="christian's blog">christ1an</a> over at <a href="http://sla.ckers.org/forum/read.php?12,8085" title="sla.ckers">sla.ckers</a> has been working on a PHP Intrusion Detection System and the results are fairly promising! The system is based on regular expressions and seems to catch everything I've jammed into it so far. Here's an example of catching a JavaScript event handler:</p>
<p>
rule: (on\w+\s*=.*\\?([("|'|`)]|\&gt;)?)<br/><br />
rule-description: <em>detects possible event handlers</em><br/><br />
impact: 4</p>
<p>Check out the <a href="http://groups.google.de/group/php-ids" title="PHP IDS Google Group">Google Group</a> and the <a href="http://phpids.heideri.ch/" title="PHP IDS Live Sandbox">live sandbox</a> for more.</p>