I don't think you have a prayer of dealing with javascript attacks
without either writing or using some kind of javascript parser. Some
people work with
http://www.mozilla.org/js/spidermonkey/
However, increasingly we see code being in between non script HTML
tags and then being manipulated from within the javascript accessing
the browser DOM tree. So you pretty much have to parse HTML too.
Stuart.
On Mar 25, 2009, at 7:40 AM, Ravi Chunduru wrote:
In many cases, ActiveX CLSID is sent in HTML pages as a simple
string such as
CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766
To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:
<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....
Above evasion can have any combination of characters.
How can one go about writing rules to detect these evasions? Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors. What do
you think?
Thanks
Ravi
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
