Re: "Strip Script Tags" in FW-1 can be circumvented

[dknight () CSUCHICO EDU (Bret Piatt)]

Arne Vidstrøm wrote:
> The "Strip Script Tags" in FW-1 can be circumvented by adding
> an extra <
> before the <SCRIPT> tag

(.......)

> I'm not able to check it on version 4.0 since
> I don't have access to it.

I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as
it's supposed to do. That is,
<<SCRIPT LANGUAGE="JavaScript">
is altered into
<<SCRIP! LANGUAGE="JavaScript">
which the browsers will disregard. It's a bit silly that the alert("hello
world") isn't cut away, though, so "< alert("hello world") test" is what
your page looks like in web-browsers.

    I recall Georgi posting something about doing other malformed tags to
cause problems with hotmail.com's javascript filtering.  Does FW-1
block if you <SCRIPT L\0x41NGUAGE="JavaScript"> or all other
such bastardizations thereof?  I did some quick testing to make sure
that IE 5.0 still accepted the tag <script L\0x41NGUAGE="JavaScript">
but I don't have access to a FW-1 wall to check its filtering.

    If a firewall software is going to "filter" all or desired scripting
languages
from web pages it can't be the position of the firewall vendor that the web
browsers are processing malformed tags and they can't be expected to check
for all of them.  It'd be like your alarm company saying "Well that burglar
cut the exposed wires we left! How can we stop that?".  The firewall
developers should be working with browser vendors (or put together their
own testing team if the browser vendors aren't willing) to find every way
that undesired code can be executed not just the "proper" way.