Focus on IDS
CSLID evasion - Client protection Mar 25 2009 02:40PM
Ravi Chunduru (ravi is chunduru gmail com) (2 replies)
RE: CSLID evasion - Client protection Mar 25 2009 06:07PM
Addepalli Srini-B22160 (saddepalli freescale com) (1 replies)
Re: CSLID evasion - Client protection Mar 26 2009 12:31AM
Stuart Staniford (sstaniford FireEye com)
Re: CSLID evasion - Client protection Mar 25 2009 05:34PM
Stuart Staniford (sstaniford FireEye com)
I don't think you have a prayer of dealing with javascript attacks
without either writing or using some kind of javascript parser. Some
people work with

http://www.mozilla.org/js/spidermonkey/

However, increasingly we see code being in between non script HTML
tags and then being manipulated from within the javascript accessing
the browser DOM tree. So you pretty much have to parse HTML too.

Stuart.

On Mar 25, 2009, at 7:40 AM, Ravi Chunduru wrote:

> In many cases, ActiveX CLSID is sent in HTML pages as a simple
> string such as
>
> CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766
>
> To evade detection by intermediate security devices, clsid information
> can be sent as java script which looks like this:
>
> <script>
> var object1=document.createElement('object');
> object1.setAttribute("CLSID",
> "C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
> ****Evasion***
> xyz = object1.CreateObject(....)
> ....
>
> Above evasion can have any combination of characters.
>
> How can one go about writing rules to detect these evasions? Does
> PCRE good enough for this? I thought that it can't be done by PCRE
> expressions and it requires some code support in IDP sensors. What do
> you think?
>
>
> Thanks
> Ravi
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus