Acidus wrote:
My homies in X-Force are going to have a shitty day tomorrow...

Why is that? ISS shipped a patch for the issue you're linking on May 8th, per your link.

Acidus wrote:

My homies in X-Force are going to have a shitty day tomorrow...

It's funny the perspective that this will get "patched". There are just too many permutations in the wild, and I've yet to see an IDS properly stream re-assemble, decompose a protocol message, identify encoded blocks within the message, and canonicalize them to their most common or reducible form applicable to the application.

I mean, come on: it's a crazy complex job. Not to mention that to attempt every variation on the fly would be too expensive performance-wise.

Ultimately there is no way these products can infer the decoded state of a message and reduce to that level for IDS/IPS/FW analysis, unless they compare encoded blocks on input with decoded blocks on output for client-side UA attacks. Unless they have host agents, they have no real way to correlate and deduce state within an application to identify server-side attacks.

Acidus wrote:
... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer.

1. I started down this path in 2000, btw//.

2. I started down this path after being fascinated with what the VXers were doing with their encoded envelopes, and wondering how that applied to my web apps.

3. I really got woken up when K2 showed me his polymorphic shell-code preso before CanSec at Frank Heidt's SeaBeckCon conference. Some random hotel lobby around the sound in Seattle, never forget that, total "duh" moment.

4. We built some tools & charts to do this stuff at my last employer (to assist in testing by hand), that were far more capable than anything released by any commercial webappsec testing vendor. We waltzed through some security platforms and most WAFs doing this. I mean: F5's WAF (the Magnifier thing) couldn't even handle chunked encoding properly just a couple of years ago.

5. I've been working on a cookbook to publish on this for a long time now. Not sure where in the world you get time to finish your research, but I should (will?) probably wrap this up soon if I can find the time.

There's just a lack of good resources out there, so this is all black magic mystery to most.

Thanks for the kind notes; now I have to quit making fun of your constant web 2.0/ajax worm stuff. :)

Arian

arian wrote:
I mean, come on: it's a crazy complex job. Not to mention that to attempt every variation on the fly would be too expensive performance-wise.

I agree that most of Layer 7 is going to be beyond IDS/IPS. Its simply a matter of normailzation. Layers 3 and Layers 4 represented in relatively normal forms.

TCP/IP stacks don't speak Shift_JIS or UTF-16, let alone nested encodings.

Not sure where in the world you get time to finish your research, but I should (will?) probably wrap this up soon if I can find the time.

Smack. Red Bull and Smack.

Thanks for the kind notes; now I have to quit making fun of your constant web 2.0/ajax worm stuff. :)

I've got some stuff up my sleeve I think you'll enjoy...