Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Javascript long string detection

Re: Javascript long string detection

From: Ravi Chunduru <ravi.is.chunduru_at_gmail.com>
Date: Mon, 9 Jun 2008 20:56:38 -0700

This seems fine to me. do you know the vulnerable version of Safari browser?

Thanks
Ravi

On Mon, Jun 9, 2008 at 7:17 PM, Srinivasa Addepalli <srao_at_intoto.com> wrote:
> Hi Ravi,
>
> You are right that many IDS/IPS systems don't have java script analyzers.
> Even the systems that have these analyzers will also have problems in
> detecting these kinds of attacks.
>
> One simple way is to create a signature which checks version string in
> User-Agent field and javascript in response html data. If user agent
> version indicates vulnerable software edition and javascript is seen, this
> signature flags the administrator. Since javascript is not analyzed, there
> could be false positives; but at the minimum, it provides logs and alerts to
> administrator to take further action.
>
> Srini
>
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] On
> Behalf Of Ravi Chunduru
> Sent: Saturday, June 07, 2008 1:55 PM
> To: Focus IDS
> Subject: Javascript long string detection
>
> Hi,
>
> I have come across this vulnerability
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729
>
> and corresponding Exploit at
>
> http://www.milw0rm.org/exploits/5268
>
> There are so many ways to create a long string in Javascript. How do
> Network based IDS/IPS can detect these kinds of attacks? Is it
> possible to create signatures to detect these attacks? Many existing
> IDS/IPS devices don't have capabilities to interpret and evaluate
> javascripts. So, I would think that it is nearly impossible. Any
> insight?
>
> Thanks
> Ravi
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
> tro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Received on Jun 10 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]