Re: Evasion

[J B <kybrdcowboy () gmail com>]

I don't know if this is a vulnerability, or a bug for that matter.  I
think it could be a feature.  Theoretically, couldn't this be used to
monitor different settings etc, without getting noticed too much?

J


On 5/25/05, Kyle Quest <Kyle.Quest () networkengines com> wrote:
> Here's one of the things I discovered experimenting
> with ISA 2004 Server. It's an evasion technique that
> can be used to bypass its header filters and
> header signatures. It can be achieved by
> folding HTTP headers, so if somebody, for example,
> has a signature to block HTTP traffic that contains
> header X with value Y it would be bypassed if an
> attacker folds the value Y onto the next line.
> I believe that it may also apply to SOME Snort
> signatures too due to the way the HTTP signature
> are usually created (some of the signatures rely
> on the end of line marker).
>
> I thought Dave might enjoy this bit of information
> He's a big fan of evading stuff :-)
>
> Just curious... would you call this evasion technique
> a vulnerability in the ISA product?
>
> Kyle
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave