RE: AppScan and IDS evasion

["Erin Carroll" <amoeba () amoebazone com>]

If an IDS is blocking/banning your source IP there are a couple things that
are possibly happening that you can try to work around the issue. Either a
probe (or group of probe types) in AppScan is triggering an IDS response
based on request type or your concurrent connection and request rate is
triggering anti-DoS responses.

First, I would recommend limiting your concurrent threads to a bare minimum,
see if that works. Bear in mind that this will increase the total time
AppScan takes to complete a scan significantly.

Second, if that doesn't work and you are still getting blocked you may want
to modify which tests are being performed. Depending on IDS setup and type,
you could encounter blocking for request types which don't match the target
server ("content-aware" approaches) like sending apache probes against an
IIS server. If that doesn't work, try removing server/service attacks/checks
from your scan run and stick to just content-based attacks. Some IDS/IPS
systems are aware of server/service attack behavior (like Apache 2.2.3's
mod_rewrite off-by-one error vuln).

But, like you said, manual checking is the way to go. AppScan and similar
tools are just useful first steps to help pinpoint potential vectors.

SecurityFocus has pretty good intro to IDS evasion techniques at
http://www.securityfocus.com/infocus/1577


Hope that helps. I'm sure other list members will have other suggestions :)


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"





-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Pen Testing
Sent: Saturday, May 24, 2008 7:14 AM
To: pen-test () securityfocus com
Subject: AppScan and IDS evasion

Hello,

I've launched AppScan against a web application and I'm being
blocked/banned (since I have a dynamic IP I can reboot my router and
get another IP, which is shortly banned again, as long as the attack
persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK),
what could I do?

Of course, I can perform a manual audit (which I was going to do
anyway, automatic scanners are only the first phase) but do you have
other ideas to bypass the locking mechanism? Perhaps I could put in
place some kind of proxy applying IDS-evasion techniques, so I could
configure AppScan to use that proxy, and this last one would be in
charge of manipulate/rewrite the requests to bypass IDS. Does such a
proxy exist?

It would be nice if you could point to some good and practical
anti-IDS paper, doc and tools.

Thank you.

PS: I don't know which kind of IDS is in use (perhaps it's not a
full-IDS but some anomaly detection as the one included in Checkpoint
FW-1 but I don't have that information).

Cheers,
-q

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------