Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Obfuscated web pages

from [Mike Barkett] Network Security [Permanent Link]
Subject: RE: Obfuscated web pages
Date: Thu, 14 Feb 2008 18:42:09 -0500 


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Mike Lococo
Sent: Thursday, February 14, 2008 4:51 PM


Are any current network based IDS/P systems able to unwind
obfuscated web script to examine the final javascript product?


Others have noted that this isn't often attempted, but it should also be
mentioned that it *can't* be done generically for links of any
significant bandwidth.  If the unwinding routine takes a tenth of a
second to run on a fast modern processor the web-browser user won't
notice at all.  Your IDS, on the other hand, will fall over at 10
packets/second.  As processors get faster, attackers will use more
complex unwinding routines to ensure the CPU load is prohibitive for an
IDS.


Mike -

An alternative would be to prevent routines that are too complex by default,
and allow the administrator to define higher thresholds or whitelists for
trusted sites.  Also, the IDS wouldn't fall over if it were capable of any
kind of parallelization; just those particular connections would be delayed.
Bear in mind, we're still talking about a theoretical DOM inspector here, as
opposed to an extant general purpose IPS product.



From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Gary Flynn
Sent: Thursday, February 14, 2008 4:18 PM

I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.



Gary - Actually, the Check Point IPS-1 (formerly NFR) sensor engine has, for
many years, executed protections in a "sandbox" so that no single protection
can dominate the processor(s).  So, if someone were to write N-code to try
to interpret generalized code, it would operate in that same sandbox, for
lack of a better term.  This even applies inline.  However, just to be
clear, off the shelf, IPS-1 does not do any of the theoretical DOM
validation stuff previously mentioned in this thread.


-MAB

--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Obfuscated web pages, Mike Barkett
Next by Date:  Re: Obfuscated web pages, Dustin D. Trammell
Previous by Thread:  Re: Obfuscated web pages, Mike Lococo
Next by Thread:  Re: Obfuscated web pages, Ivan Arce
Indexes:  [Date] [Thread] [Top] [All Lists]