Javascript long string detection

> Hi Ravi,
>
> You are right that many IDS/IPS systems don't have java script analyzers.
> Even the systems that have these analyzers will also have problems in
> detecting these kinds of attacks.
>
> One simple way is to create a signature which checks version string in
> User-Agent field  and javascript in response html data. If user agent
> version indicates vulnerable software edition and javascript is seen, this
> signature flags the administrator. Since javascript is not analyzed, there
> could be false positives; but at the minimum, it provides logs and alerts to
> administrator to take further action.
>
> Srini
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...] On
> Behalf Of Ravi Chunduru
> Sent: Saturday, June 07, 2008 1:55 PM
> To: Focus IDS
> Subject: Javascript long string detection
>
> Hi,
>
> I have come across this vulnerability
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729
>
> and corresponding Exploit at
>
> http://www.milw0rm.org/exploits/5268
>
> There are so many ways to create a long string in Javascript.  How do
> Network based IDS/IPS can detect these kinds of attacks?  Is it
> possible to create signatures to detect these attacks?   Many existing
> IDS/IPS devices don't have capabilities to interpret and evaluate
> javascripts. So, I would think that it is nearly impossible.  Any
> insight?
>
> Thanks
> Ravi
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
> tro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
>

> This seems fine to me.  do you know the vulnerable version of Safari browser?
>
> Thanks
> Ravi
>
> On Mon, Jun 9, 2008 at 7:17 PM, Srinivasa Addepalli <srao@...> wrote:
>> Hi Ravi,
>>
>> You are right that many IDS/IPS systems don't have java script analyzers.
>> Even the systems that have these analyzers will also have problems in
>> detecting these kinds of attacks.
>>
>> One simple way is to create a signature which checks version string in
>> User-Agent field  and javascript in response html data. If user agent
>> version indicates vulnerable software edition and javascript is seen, this
>> signature flags the administrator. Since javascript is not analyzed, there
>> could be false positives; but at the minimum, it provides logs and alerts to
>> administrator to take further action.
>>
>> Srini
>>
>>
>> -----Original Message-----
>> From: listbounce@... [mailto:listbounce@...] On
>> Behalf Of Ravi Chunduru
>> Sent: Saturday, June 07, 2008 1:55 PM
>> To: Focus IDS
>> Subject: Javascript long string detection
>>
>> Hi,
>>
>> I have come across this vulnerability
>>
>> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729
>>
>> and corresponding Exploit at
>>
>> http://www.milw0rm.org/exploits/5268
>>
>> There are so many ways to create a long string in Javascript.  How do
>> Network based IDS/IPS can detect these kinds of attacks?  Is it
>> possible to create signatures to detect these attacks?   Many existing
>> IDS/IPS devices don't have capabilities to interpret and evaluate
>> javascripts. So, I would think that it is nearly impossible.  Any
>> insight?
>>
>> Thanks
>> Ravi
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to
>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
>> tro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
>>
>>
>>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>

> on the iphone?  how are you going to detect that using a network based ips?
>
> i mean, if the iphone is on wifi, but other than that...
>
> On Mon, Jun 9, 2008 at 11:56 PM, Ravi Chunduru
> <ravi.is.chunduru@...> wrote:
>> This seems fine to me.  do you know the vulnerable version of Safari browser?
>>
>> Thanks
>> Ravi
>>
>> On Mon, Jun 9, 2008 at 7:17 PM, Srinivasa Addepalli <srao@...> wrote:
>>> Hi Ravi,
>>>
>>> You are right that many IDS/IPS systems don't have java script analyzers.
>>> Even the systems that have these analyzers will also have problems in
>>> detecting these kinds of attacks.
>>>
>>> One simple way is to create a signature which checks version string in
>>> User-Agent field  and javascript in response html data. If user agent
>>> version indicates vulnerable software edition and javascript is seen, this
>>> signature flags the administrator. Since javascript is not analyzed, there
>>> could be false positives; but at the minimum, it provides logs and alerts to
>>> administrator to take further action.
>>>
>>> Srini
>>>
>>>
>>> -----Original Message-----
>>> From: listbounce@... [mailto:listbounce@...] On
>>> Behalf Of Ravi Chunduru
>>> Sent: Saturday, June 07, 2008 1:55 PM
>>> To: Focus IDS
>>> Subject: Javascript long string detection
>>>
>>> Hi,
>>>
>>> I have come across this vulnerability
>>>
>>> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729
>>>
>>> and corresponding Exploit at
>>>
>>> http://www.milw0rm.org/exploits/5268
>>>
>>> There are so many ways to create a long string in Javascript.  How do
>>> Network based IDS/IPS can detect these kinds of attacks?  Is it
>>> possible to create signatures to detect these attacks?   Many existing
>>> IDS/IPS devices don't have capabilities to interpret and evaluate
>>> javascripts. So, I would think that it is nearly impossible.  Any
>>> insight?
>>>
>>> Thanks
>>> Ravi
>>>
>>> ------------------------------------------------------------------------
>>> Test Your IDS
>>>
>>> Is your IDS deployed correctly?
>>> Find out quickly and easily by testing it
>>> with real-world attacks from CORE IMPACT.
>>> Go to
>>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
>>> tro_sfw
>>> to learn more.
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
>>
>>
>