Skip to content
This repository has been archived by the owner on Jun 30, 2020. It is now read-only.

Home

Jump to bottom
Norbert Boros edited this page Apr 20, 2018 · 2 revisions

Welcome to the SanitiserX wiki!

The purpose of this module is to offer better filtering and security for your application/project.

Configuration explained:

'REQUESTS_FILTER_GET' => 1,

'REQUESTS_GET' => [

'AUTO_FILTER_XSS' => 1,

'AUTO_FILTER_SQL' => 1,

],

You do not need to set _REQUESTS_FILTER_GET _to 1 to sanitise individual or multiple inputs. When you set _REQUESTS_FILTER_GET _to 1, it will enable the hooks inside Module.php: onBootstrap(), onDispatch() and more to be implemented.

This means that all requests performed as GET ( including route params ) will be subjected to the filter. However you must elect at least one filter from the REQUESTS_GET options.

If you set for example AUTO_FILTER_XSS to 1, and then you perform a test like:

http://xxxxxxx.com/xxxx/some-link?test=alert(1)

The filtering will take effect, and a rule will be triggered returning 403 and a nice message:

SanitiserX

This applies for all the rules I will add, XSS, SQL, everything possible.

But this will not happen when you sanitise an input.

That has a different effect and it will not show/return any message, however it will sanitise the input as much as possible and of course log everything.

Logging explained:

In the same configuration file you will find this:

`'LOG' => [`

    `'LOG_UID' => 1,`

    `'LOG_IP' => 1,`

    `'LOG_DNS' => 1,`

    `'LOG_REFERER' => 1,`

    `'LOG_REQUEST_URL' => 1,`

    `'LOG_REQUEST_METHOD' => 1,`

`],`

The options pretty much self speaks for them, so if you have everything enabled you will get the following log file created and content ( as of now, it may change ):

.\data\sanitiserX\2018-04-20-security.log:

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] ----------------------------------------

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] UID: bdd29032c47eadf5982b9074d2144eeb

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] Requesting IP: 127.0.0.1

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] IP DNS: x.x.x.x.x.x

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] Referer: no referer

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] Requested URL: xxxx/some-link?test=alert(1)

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] Requested Method: GET

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] [AUTO_FILTER_XSS] Filtering param: 'test' value: 'alert(1)'

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] [AUTO_FILTER_XSS] XSS attack in GET request!

[SanitiserX] [2018-04-20T17:24:45+02:00] [INFO] ----------------------------------------

Well that pretty much sums it up for now, feel free to join and contribute! I honestly don't have much time ( any time ) to work on this, so any help is appreciated ).

Clone this wiki locally