Re: AppScan and IDS evasion

["Pen Testing" <quick.pentesting () gmail com>]

True if you were in the same LAN but "not so true" in a WAN
environment. I only can think of two possible "bad" scenarios in the
last case:
- the source ISP is using transparent-proxy for all its customers.
Then the proxy would be banned and it would be a DoS for other users
of the same proxy
- source user has dynamic IP. He/she could produce his/her own IP to
be banned. Then he/she'd change IP (reboot router, etc) and another
user getting old IP would be banned.

The scope is pretty limited... To say "source can be spoofed" sounds
terrific but "in general" isn't possible.

Cheers,
-q

2008/6/27 Chroot <chrooted () gmail com>:
> Isn't this a vulnerability in itself that your client blocks an IP
> address. This could result in a DoS attack if you can spoof source IP
> address. In my book IPS should block the attack not the source. Source
> can be spoofed.
>
> On Sat, May 24, 2008 at 7:44 PM, Pen Testing <quick.pentesting () gmail com> wrote:
> > Hello,
> >
> > I've launched AppScan against a web application and I'm being
> > blocked/banned (since I have a dynamic IP I can reboot my router and
> > get another IP, which is shortly banned again, as long as the attack
> > persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK),
> > what could I do?
> >
> > Of course, I can perform a manual audit (which I was going to do
> > anyway, automatic scanners are only the first phase) but do you have
> > other ideas to bypass the locking mechanism? Perhaps I could put in
> > place some kind of proxy applying IDS-evasion techniques, so I could
> > configure AppScan to use that proxy, and this last one would be in
> > charge of manipulate/rewrite the requests to bypass IDS. Does such a
> > proxy exist?
> >
> > It would be nice if you could point to some good and practical
> > anti-IDS paper, doc and tools.
> >
> > Thank you.
> >
> > PS: I don't know which kind of IDS is in use (perhaps it's not a
> > full-IDS but some anomaly detection as the one included in Checkpoint
> > FW-1 but I don't have that information).
> >
> > Cheers,
> > -q
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes
> > in Securing Web Applications
> > Find out now! Get Webinar Recording and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------