IDS mailing list archives
RE: Javascript long string detection
From: "Srinivasa Addepalli" <srao () intoto com>
Date: Mon, 9 Jun 2008 19:17:38 -0700
Hi Ravi, You are right that many IDS/IPS systems don't have java script analyzers. Even the systems that have these analyzers will also have problems in detecting these kinds of attacks. One simple way is to create a signature which checks version string in User-Agent field and javascript in response html data. If user agent version indicates vulnerable software edition and javascript is seen, this signature flags the administrator. Since javascript is not analyzed, there could be false positives; but at the minimum, it provides logs and alerts to administrator to take further action. Srini -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ravi Chunduru Sent: Saturday, June 07, 2008 1:55 PM To: Focus IDS Subject: Javascript long string detection Hi, I have come across this vulnerability http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729 and corresponding Exploit at http://www.milw0rm.org/exploits/5268 There are so many ways to create a long string in Javascript. How do Network based IDS/IPS can detect these kinds of attacks? Is it possible to create signatures to detect these attacks? Many existing IDS/IPS devices don't have capabilities to interpret and evaluate javascripts. So, I would think that it is nearly impossible. Any insight? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Javascript long string detection Ravi Chunduru (Jun 09)
- RE: Javascript long string detection Srinivasa Addepalli (Jun 10)
- Re: Javascript long string detection Ravi Chunduru (Jun 10)
- Re: Javascript long string detection Ureleet (Jun 11)
- Re: Javascript long string detection Ravi Chunduru (Jun 30)
- Re: Javascript long string detection Ravi Chunduru (Jun 10)
- RE: Javascript long string detection Srinivasa Addepalli (Jun 10)