
Abusing the PHP Query String Parser to Bypass IDS, IPS, and WAF - lelf
https://www.secjuice.com/abusing-php-query-string-parser-bypass-ids-ips-waf/
======
tptacek
Or, "why you shouldn't rely on IDS, IPS, and WAF".

~~~
cortesoft
For anything?

~~~
tptacek
I like Signal Science just as a product in general, and have used it to
accomplish a variety of security tasks for clients. I am not sold on the core
promise of WAF/RASP, where you front an insecure application with a middlebox
that resolves security problems for you, and I think I'm squarely in the
mainstream of security industry opinion on that.

~~~
glenjamin
In a situation where you're saddled with an insecure application you can't
touch, I think a WAF can make sense.

In the situation I hope many people are in, where they have a production
application they own that they can quicky continuously deploy to - what's the
WAF for?

~~~
ownagefool
There's a concept that you should use several products in highly secure
environments.

For example, if your input validation is written in PHP, you might want to
write another layer in front, i.e. in your reverse proxy layer, using
something like [https://github.com/nbs-system/naxsi](https://github.com/nbs-
system/naxsi). The way, neither just a PHP bug nor a lua bug should defeat
you.

In reality, they're probably written by the same person, and thus it's
probably a logic bug that will result in a hack and, assuming a zero sum game
in engineering time, I'd probably rather focus on protective monitoring than
rewriting the same input validation.

But there you go. In much the same way, if you don't really believe you can
trust cisco or huawei to protect against their respective governments, then
you layer both and hope they keep each other in check.

~~~
ownagefool
True @tptacek, but we're talking about systems where you'd rather the system
fail closed than leak anything. Not something one would really normally
consider for their uber for hedgehogs app.

Personally, I'm not really a big fan of the baseline for the guidence being
behind closed doors, I prefer to be able to read said validation, but the
guidence does exist and is parroted around the industry occasionally.

~~~
pvg
You can click on the timestamp of a comment and reply to it there so you don't
have to @ people like a barbarian.

~~~
posix_me_less
You can give the usability information about this website without calling a
group of people barbarians.

~~~
pvg
I jokingly compared a single person to a barbarian without calling anyone a
barbarian, like a barbarian.

~~~
arpa
Then again, we are in discussion regarding PHP, so someone's bound to point
out we're a bunch of neanthardal barbarians just because of that. So it could
have been just a kneejerk reaction.

------
_nalply
If you do _positive_ validation, you probably won't be affected by this.

In other words: check that the id is a string with digits only.

Don't search for invalid characters like ASCII NUL or for clever escapes,
because there are too many ways of abuse.

Use ctype_digit() for numerical ids and stop with a validation error if
ctype_digit() does not return TRUE.

[https://www.php.net/manual/en/function.ctype-
digit.php](https://www.php.net/manual/en/function.ctype-digit.php)

For more complicated cases (like an id with lowercase letters and digits)
preg_match() can be used, for example: preg_match('/^[a-z0-9]+$/').

------
founderling
Nothing is abused, nothing is bypassed.

The article makes it sound like IDS/IPS&WAF are intended to do input
validation so it fits the applications model of the data.

They are not.

They are intended to harden the whole stack a little bit against yet
undiscovered vulnerabilities.

By the same logic, this "article" could claim that it is possible to abuse
Pythons strip() function to bypass WAF rules because filtering for the user
name "root" will not filter out " root" and many login systems do strip
whitespace before processing the input.

This applies to any language. Here on HN I can log in as "founderling" or "
founderling" just fine.

If you want to filter out something in WAF, you 1) have to do it right and 2)
do not do it for input validation at all.

It has nothing to do with the language if you fail at 1 and or 2.

------
TazeTSchnitzel
If you wonder why PHP does this, I think it comes from our old friend
_register_globals_. In the past, query string, request body and cookie values
were automatically made into global variables, so they needed to have
variable-friendly names.

~~~
meritt
Correct, this behavior is well-known and has been around for 20+ years.
Leading spaces are removed and additionally other spaces or dots are converted
to an underscore.

For this reason, many frameworks ignore the default $_GET structure and
instead access the raw URI query in $_SERVER['QUERY_STRING'].

------
cwojno
Seeing a lot of WAF-hate. Additional rules could fix this.

Flame-bait Proposal:

Or, "why you shouldn't use PHP" or any other language the silently converts
badly-encoded input for you?

------
chx
Hrm... the solution is to keep your PHP codebase up to date...?

~~~
JeremyBanks
The solution is to throw out your WAF.

~~~
simlevesque
WAF has it's purpose but it's clearly not a silver bullet. Nothing is.

~~~
nullwasamistake
WAF is brittle and breaks more than it fixes IMO. It's just regex against
URL's in 99% of cases. If you think you need one, you need to fix the app
code, there will be more vulnerabilities it doesn't block

~~~
simlevesque
WAF provides a lot of other things, such as IP based filtering.

------
HiddenIncome
parse_str also does not work the same as the parser generating $_GET because
it doesn't replace control characters:
[https://bugs.php.net/bug.php?id=76255](https://bugs.php.net/bug.php?id=76255)

