[Snort-sigs] Bypassing rules with spaces in scripts

Joseph Gama josephgama at ...144...
Wed Jul 21 17:24:14 EDT 2004


Thank you Adrian for the kind words. Just trying to
help the Open Source movement. :)
I realized that several rules that detect malicious
scripts are vulnerable to deception by using spaces or
playing with " and '.
Here are two examples:
will fail for < SCRIPT>
<SCRIPT language="javascript">
will fail for:
<SCRIPT language ="javascript">
<SCRIPT language= "javascript">
< SCRIPT language="javascript"> etc...

Using " and ' is also a problem:
<SCRIPT language='javascript'>
there is no need for them some times:
<SCRIPT language=javascript>



Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.

More information about the Snort-sigs mailing list