Re: forbidden functions on client-side scripts

[Alonso Robles <kha0z () earthlink net>]

Shimon,

Most client applications such as web browsers and email clients have
built-in security measures to prevent the execution of malicious code in VB
and Java Script. Most of these measures are defined in whole or in part by
the W3C specification for including VB and Java script interpreters in such
client applications. For the most part, these rules are governed by the
"trusted" sites and user settings. The execution of the malicious code
happens when the end user or system administrator changes these settings on
the actual clients and creating a security hole where this can take place.

In my experience, widely used and financially backed applications do a fair
job at minimizing the opportunity of malicious client side scripts to
execute. They additionally post security patches that are available to patch
holes that may have been left open during the prior development phases.

In other words, I would not worry too much about adding "key words" such as
the ones on your lists to look for malicious code. The only key time to look
for these words would be when you are developing a new application that
could potentially be vulnerable to malicious client side scripting.

If I failed to hammer the nail on the head, please explain in more detail
about the specific use of these filters for which they will be used in order
to provide more specific information to assist you in your quest for a
complete answer to your question.

Regards,
Alonso

On 12/11/02 9:06 AM, "Shimon Silberschlag" <shimons () bll co il> wrote:

> Some products that are used as content filters for the HTTP traffic
> used by internal users, have the ability to block certain "dangerous"
> functions used on client side scripts from getting to the internal
> client. Attached is the default function list used by such a product.
> Since I'm not a programmer, can someone tell me if this list is
> complete/overkill/lacking and what other functions that are
> dangerous/benign should I consider adding/dropping from the list. The
> list is given for VBscript and JavaScript separately.
>
>
> [VB SCRIPT]
> Forbidden
> words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File
> Exist,
> GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open
> textfile,CreateTextRange,
> OpenAsTextStream,DeleteFile,CopyFile,RegWrite
>
>
> [JAVA SCRIPT]
> Forbidden
> words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte
> nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite
>
> TIA,
>
> Shimon Silberschlag
>
> +972-3-9352785
> +972-51-207130

 
--
Alonso Robles
Email: kha0z () earthlink net