Focus on IDS
CSLID evasion - Client protection Mar 25 2009 02:40PM
Ravi Chunduru (ravi is chunduru gmail com)
In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as


To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

var object1=document.createElement('object');
xyz = object1.CreateObject(....)

Above evasion can have any combination of characters.

How can one go about writing rules to detect these evasions? Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors. What do
you think?


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus