[Snort-sigs] Bypassing rules with spaces in scripts

Joseph Gama josephgama at ...144...
Wed Jul 21 17:24:14 EDT 2004


Hello,

Thank you Adrian for the kind words. Just trying to
help the Open Source movement. :)
I realized that several rules that detect malicious
scripts are vulnerable to deception by using spaces or
playing with " and '.
Here are two examples:
<SCRIPT> 
will fail for < SCRIPT>
and
<SCRIPT language="javascript">
will fail for:
<SCRIPT language ="javascript">
<SCRIPT language= "javascript">
< SCRIPT language="javascript"> etc...

Using " and ' is also a problem:
<SCRIPT language='javascript'>
there is no need for them some times:
<SCRIPT language=javascript>

Peace,

Joseph


		
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list