Re: CSLID evasion - Client protection

["Stuart Staniford" <sstaniford () FireEye com>]

I don't think you have a prayer of dealing with javascript attacks  
without either writing or using some kind of javascript parser.  Some  
people work with

http://www.mozilla.org/js/spidermonkey/

However, increasingly we see code being in between non script HTML  
tags and then being manipulated from within the javascript accessing  
the browser DOM tree.  So you pretty much have to parse HTML too.

Stuart.

On Mar 25, 2009, at 7:40 AM, Ravi Chunduru wrote:

> In many cases, ActiveX CLSID is sent in HTML pages as a simple  
> string such as
>
> CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766
>
> To evade detection by intermediate security devices, clsid information
> can be sent as java script which looks like this:
>
> <script>
> var object1=document.createElement('object');
> object1.setAttribute("CLSID",
> "C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
> ****Evasion***
> xyz = object1.CreateObject(....)
> ....
>
> Above evasion can have any combination of characters.
>
> How can one go about writing rules to detect these evasions?  Does
> PCRE good enough for this? I thought that it can't be done by PCRE
> expressions and it requires some code support in IDP sensors.  What do
> you think?
>
>
> Thanks
> Ravi
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.