WebApp Sec mailing list archives
RE: forbidden functions on client-side scripts
From: Thor Larholm <Thor () jubii dk>
Date: Fri, 13 Dec 2002 13:21:17 +0100
Is your content filter actively executing the VBScript and JavaScript code (and in which environment using which scripting host and which script interpreter?) and analyzing whatever strings it contains after execution? If not, you have only gained a false sense of security. Any practical reallife exploitation of these 'forbidden' functions would most surely involve anything from simple to advanced string obfuscation, such as generating the function call or object reference dynamically or producing the code to be executed from compressed strings that are recreated and evaluated at runtime. Since your content filter merely does simplistic string matching, not unlike most AV vendors when they filter 'nasty' POC code from Bugtraq, it will only detect the most crudest attempts from the most inexperienced script kiddie. Other than that, the only functions in your list that are actual VBScript and JScript functions are CreateObject and ActiveXObject, the rest are methods that exist on commonly used ActiveX object - after their successful instantiation. Regards Thor Larholm -----Original Message----- From: Shimon Silberschlag [mailto:shimons () bll co il] Sent: 11. december 2002 18:06 To: webappsec () securityfocus com Subject: forbidden functions on client-side scripts Some products that are used as content filters for the HTTP traffic used by internal users, have the ability to block certain "dangerous" functions used on client side scripts from getting to the internal client. Attached is the default function list used by such a product. Since I'm not a programmer, can someone tell me if this list is complete/overkill/lacking and what other functions that are dangerous/benign should I consider adding/dropping from the list. The list is given for VBscript and Javascript separately. [VB SCRIPT] Forbidden words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File Exist, GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open textfile,CreateTextRange, OpenAsTextStream,DeleteFile,CopyFile,RegWrite [JAVA SCRIPT] Forbidden words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite TIA, Shimon Silberschlag +972-3-9352785 +972-51-207130
Current thread:
- forbidden functions on client-side scripts Shimon Silberschlag (Dec 11)
- Re: forbidden functions on client-side scripts Alonso Robles (Dec 12)
- <Possible follow-ups>
- RE: forbidden functions on client-side scripts Uzi Refaeli (Dec 11)
- RE: forbidden functions on client-side scripts Thor Larholm (Dec 13)