Acidus wrote: My homies in X-Force are going to have a shitty day tomorrow...
It's funny the perspective that this will get "patched". There are just too many permutations in the wild, and I've yet to see an IDS properly stream re-assemble, decompose a protocol message, identify encoded blocks within the message, and canonicalize them to their most common or reducible form applicable to the application. I mean, come on: it's a crazy complex job. Not to mention that to attempt every variation on the fly would be too expensive performance-wise. Ultimately there is no way these products can infer the decoded state of a message and reduce to that level for IDS/IPS/FW analysis, unless they compare encoded blocks on input with decoded blocks on output for client-side UA attacks. Unless they have host agents, they have no real way to correlate and deduce state within an application to identify server-side attacks. Acidus wrote: ... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer.
1. I started down this path in 2000, btw//. 2. I started down this path after being fascinated with what the VXers were doing with their encoded envelopes, and wondering how that applied to my web apps. 3. I really got woken up when K2 showed me his polymorphic shell-code preso before CanSec at Frank Heidt's SeaBeckCon conference. Some random hotel lobby around the sound in Seattle, never forget that, total "duh" moment. 4. We built some tools & charts to do this stuff at my last employer (to assist in testing by hand), that were far more capable than anything released by any commercial webappsec testing vendor. We waltzed through some security platforms and most WAFs doing this. I mean: F5's WAF (the Magnifier thing) couldn't even handle chunked encoding properly just a couple of years ago. 5. I've been working on a cookbook to publish on this for a long time now. Not sure where in the world you get time to finish your research, but I should (will?) probably wrap this up soon if I can find the time. There's just a lack of good resources out there, so this is all black magic mystery to most. Thanks for the kind notes; now I have to quit making fun of your constant web 2.0/ajax worm stuff. :) Arian RE: Web hackers 9999, IDS 0 |