IDS mailing list archives
Re: CSLID evasion - Client protection
From: "Stuart Staniford" <sstaniford () FireEye com>
Date: Wed, 25 Mar 2009 10:34:17 -0700
I don't think you have a prayer of dealing with javascript attacks without either writing or using some kind of javascript parser. Some people work with
http://www.mozilla.org/js/spidermonkey/However, increasingly we see code being in between non script HTML tags and then being manipulated from within the javascript accessing the browser DOM tree. So you pretty much have to parse HTML too.
Stuart. On Mar 25, 2009, at 7:40 AM, Ravi Chunduru wrote:
In many cases, ActiveX CLSID is sent in HTML pages as a simple string such asCLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766 To evade detection by intermediate security devices, clsid information can be sent as java script which looks like this: <script> var object1=document.createElement('object'); object1.setAttribute("CLSID", "C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766"); ****Evasion*** xyz = object1.CreateObject(....) .... Above evasion can have any combination of characters. How can one go about writing rules to detect these evasions? Does PCRE good enough for this? I thought that it can't be done by PCRE expressions and it requires some code support in IDP sensors. What do you think? Thanks Ravi -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- CSLID evasion - Client protection Ravi Chunduru (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 25)
- RE: CSLID evasion - Client protection Addepalli Srini-B22160 (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 26)
- <Possible follow-ups>
- Re: CSLID evasion - Client protection ushacker20002001 (Mar 25)