IDS mailing list archives
CSLID evasion - Client protection
From: Ravi Chunduru <ravi.is.chunduru () gmail com>
Date: Wed, 25 Mar 2009 07:40:45 -0700
In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766 To evade detection by intermediate security devices, clsid information can be sent as java script which looks like this: <script> var object1=document.createElement('object'); object1.setAttribute("CLSID", "C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766"); ****Evasion*** xyz = object1.CreateObject(....) .... Above evasion can have any combination of characters. How can one go about writing rules to detect these evasions? Does PCRE good enough for this? I thought that it can't be done by PCRE expressions and it requires some code support in IDP sensors. What do you think? Thanks Ravi
Current thread:
- CSLID evasion - Client protection Ravi Chunduru (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 25)
- RE: CSLID evasion - Client protection Addepalli Srini-B22160 (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 26)
- <Possible follow-ups>
- Re: CSLID evasion - Client protection ushacker20002001 (Mar 25)