RE: Javascript long string detection

Hi Ravi,

You are right that many IDS/IPS systems don't have java script analyzers.
Even the systems that have these analyzers will also have problems in
detecting these kinds of attacks.

One simple way is to create a signature which checks version string in
User-Agent field and javascript in response html data. If user agent
version indicates vulnerable software edition and javascript is seen, this
signature flags the administrator. Since javascript is not analyzed, there
could be false positives; but at the minimum, it provides logs and alerts to
administrator to take further action.

Srini


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ravi Chunduru
Sent: Saturday, June 07, 2008 1:55 PM
To: Focus IDS
Subject: Javascript long string detection

Hi,

I have come across this vulnerability

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729

and corresponding Exploit at

http://www.milw0rm.org/exploits/5268

There are so many ways to create a long string in Javascript. How do
Network based IDS/IPS can detect these kinds of attacks? Is it
possible to create signatures to detect these attacks? Many existing
IDS/IPS devices don't have capabilities to interpret and evaluate
javascripts. So, I would think that it is nearly impossible. Any
insight?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Javascript long string detection
    ... You are right that many IDS/IPS systems don't have java script analyzers. ... User-Agent field and javascript in response html data. ... Network based IDS/IPS can detect these kinds of attacks? ...
    (Focus-IDS)
  • RE: Spis products worth a try? Or any suggestions for developers tool?
    ... By far it has the best JavaScript analysis engine ... SPI does choke up when testing a JavaScript intensive website, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on ...
    (Pen-Test)
  • Correction: Re: Deanonymizing SafeWeb Users
    ... Anonymizer Inc. ... > possible manipulation of JavaScript. ... > languages can not prevent all instances of these attacks. ... > SafeWeb does not stop The Pull's file reading exploit. ...
    (Bugtraq)
  • Javascript long string detection
    ... There are so many ways to create a long string in Javascript. ... Network based IDS/IPS can detect these kinds of attacks? ... IDS/IPS devices don't have capabilities to interpret and evaluate ...
    (Focus-IDS)
Quantcast