Adding Expose IDS to Laravel MiddleWare

Posted: 2015-09-03 00:03:43

The library is

"Expose is an Intrusion Detection System for PHP loosely based on the PHPIDS project (and using it's ruleset for detecting potential threats)."

After seeing it in the latest PHPArch magazine on security I wanted to give it a try.

Of course this is far from a complete look.

Step 1 Make the MiddleWare

php artisan make:middleware ExposeMiddleware

Then add Expose as noted in the docs.


namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;
use Illuminate\Support\Facades\Log;

class ExposeMiddleware
    public function handle($request, Closure $next)
        $filters = new \Expose\FilterCollection();
        $logger = App::make('log');
        $manager = new \Expose\Manager($filters, $logger);

        Log::info(sprintf("Logging results from Expose %d", $manager->getImpact()));

        return $next($request);

Then in app/Http/Kernel.php

    protected $middleware = [

Now to make the route for testing


Route::get('/', function () {
    return view('welcome');

Route::post('/post', function() {

    return "Yo";

And now a phpunit test to hit the route

    public function testPost()
        $token = csrf_token();
        $data = array(
                '_token' => $token,
                'test' => 'foo',
                'bar' => array(
                    'baz' => 'quux',
                    'testing' => '<script>test</script>'

        $this->call('POST', '/post', $data);

One more thing is to set the app/Http/Middleware/VerifyCsrfToken.php as such

public function handle($request, Closure $next) { if ( 'testing' === App::environment() && $request->exists('_token') ) { $input = $request->all(); $input['_token'] = $request->session()->token(); $request->replace( $input ); } if ($this->isReading($request) || $this->shouldPassThrough($request) || $this->tokensMatch($request)) { return $this->addCookieToResponse($request, $next($request)); } throw new TokenMismatchException; }

Okay so now we can tail the log file in the terminal and hit the route with phpunit

And the logs should output

[2015-09-02 23:50:44] testing.INFO: Match found on Filter ID 38 [{"id":"38","rule":"(?:\\<[\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":"xss, csrf, id, rfe, lfi","impact":"4"}]
[2015-09-02 23:50:44] testing.INFO: Logging results from Expose 8

At this point the MiddleWare can do numerous things

  • Log to an in memory db IP addresses that violates a rule of a certain level and block them.
  • Keep track of issues and notify the team of issues
  • Cut through a can without getting dull

Anyways I have a ways to go with this but just seeing the different tools I could use to make my applications more secure.