Focus on IDS
CSLID evasion - Client protection Mar 25 2009 02:40PM
Ravi Chunduru (ravi is chunduru gmail com)
In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as

CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766

To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....

Above evasion can have any combination of characters.

How can one go about writing rules to detect these evasions? Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors. What do
you think?

Thanks
Ravi

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus