Re: Obfuscated web pages

On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:
Tim wrote:
The specific issue of JavaScript obfuscation drives this point home
quite well. IMO, it is unlikely that any IDS engine could implement
the beast that is ECMAScript and all of it's children and still be safe
while reliably detecting attacks. It approaches issues similar to the
halting problem.

I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.

I would recommend checking out SpyProxy, presented at last year's USENIX
Security. While it's not a commercial vendor-supported product and has
its share of limitations, it does demonstrate that an inline
execution-based IDS/IPS proxy may be feasible:

Jon Oberheide

Jon Oberheide <jon@xxxxxxxxxxxxx>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part