Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Evasion

From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Wed, 25 May 2005 21:05:10 -0400
Here's one of the things I discovered experimenting 
with ISA 2004 Server. It's an evasion technique that
can be used to bypass its header filters and 
header signatures. It can be achieved by
folding HTTP headers, so if somebody, for example,
has a signature to block HTTP traffic that contains
header X with value Y it would be bypassed if an
attacker folds the value Y onto the next line. 
I believe that it may also apply to SOME Snort
signatures too due to the way the HTTP signature
are usually created (some of the signatures rely
on the end of line marker).

I thought Dave might enjoy this bit of information
He's a big fan of evading stuff :-)

Just curious... would you call this evasion technique
a vulnerability in the ISA product?

Kyle 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: