Hi Ravi, You are right that many IDS/IPS systems don't have java script analyzers. Even the systems that have these analyzers will also have problems in detecting these kinds of attacks.
One simple way is to create a signature which checks version string in User-Agent field and javascript in response html data. If user agent version indicates vulnerable software edition and javascript is seen, this signature flags the administrator. Since javascript is not analyzed, there could be false positives; but at the minimum, it provides logs and alerts to administrator to take further action. Srini -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Chunduru Sent: Saturday, June 07, 2008 1:55 PM To: Focus IDS Subject: Javascript long string detection Hi, I have come across this vulnerability http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729 and corresponding Exploit at http://www.milw0rm.org/exploits/5268 There are so many ways to create a long string in Javascript. How do Network based IDS/IPS can detect these kinds of attacks? Is it possible to create signatures to detect these attacks? Many existing IDS/IPS devices don't have capabilities to interpret and evaluate javascripts. So, I would think that it is nearly impossible. Any insight? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
