Right, just like a network is a means, not an end. You inspect the network because you know the threats have to traverse it, and I would argue that similarly, there is value in inspecting Javascript because like the network, it is ubiquitously involved in malicious activity. I'm suggesting a JIDS as a plugin to a NIDS.<br>
<br><div class="gmail_quote">On Wed, Oct 22, 2008 at 8:59 AM, Andre Ludwig <span dir="ltr"><<a href="mailto:aludwig@packetspy.com">aludwig@packetspy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
JS is a means, not an end.<br>
<br>
Andre<br>
<div class="Ih2E3d"><br>
Martin Holste wrote:<br>
> I would agree that for the server arena, SQL injection is probably the<br>
> biggest current threat for most as far as potential damage to their<br>
> organization.<br>
><br>
> For client side, I think that malicious Javascript has got to be near<br>
> the top. I was picking apart an attack last week in which the<br>
> attackers had gotten an ad banner on a major ad syndicate which was<br>
> iframing to a particularly nasty bit of Javascript. This script<br>
> created two Java classes by binary packing the entire object as a<br>
> Javascript string, then referring to that object in the same<br>
> Javascript. The next thing the client did was to make a malware<br>
> download with "Java 1.5" in the user agent. While browser plugin and<br>
> client-side app vulnerabilities rotate, the attack vectors and payload<br>
> delivery framework usually rely on Javascript.<br>
><br>
> Brainstorm: Create an IP/domain blacklist that the NoScript guys can<br>
> have their plugin point at?<br>
><br>
> --Martin<br>
><br>
> On Wed, Oct 22, 2008 at 6:37 AM, David Glosser<br>
</div><div class="Ih2E3d">> <<a href="mailto:david.glosser@gmail.com">david.glosser@gmail.com</a> <mailto:<a href="mailto:david.glosser@gmail.com">david.glosser@gmail.com</a>>> wrote:<br>
><br>
> What are the biggest threats out there (and tomorrow?) today that<br>
> this new project may be of benefit?<br>
><br>
> I'm voting for:<br>
> asprox/sql injection - website owners having their sites infected,<br>
> which means, for granny, it's no longer possible just to tell granny<br>
> to only go to safe sites... And When adobe's site is infected (1) ,<br>
> it's a corporate issue as well<br>
> fake security sites - so many domains, fast flux, double-fast flux,<br>
> etc. very low initial detection, sigs are always playing catchup<br>
> future - continuing infection of web sites running unpatched software,<br>
> dns or bgp-related attacks/exploits<br>
><br>
> As this is brainstorming, if you don't think it's a good thread,<br>
> don't criticize, just don't respond ;)<br>
><br>
> (1)<a href="http://blogs.zdnet.com/security/?p=2039" target="_blank">http://blogs.zdnet.com/security/?p=2039</a><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
</div>> <mailto:<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a>><br>
<div class="Ih2E3d">> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
><br>
</div>> ------------------------------------------------------------------------<br>
<div class="Ih2E3d">><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
<br>
<br>
</div>-----BEGIN PGP SIGNATURE-----<br>
Version: PGP Desktop 9.9.0 (Build 397)<br>
Charset: ISO-8859-1<br>
<br>
wsBVAwUBSP8xusjAfVnRK9hXAQjwswf/aN0WNBJYYAgrKv9q2gHSpKT/N4ittxIY<br>
2/iImQHxftwNfgic1YY6GWKIe1mNz66JjPSAqVQqAo0Yf0D5gE3jNHuVPMG4AxGw<br>
mGtvvjQFFTXNiY3QTuaRiWFAGnTaGTI50hApqOLs5kmvVRodSGqlNgdc96RqLF3R<br>
lEbU8AUcMQXn4TWQWK8hSkDNYOdcXhqg9FlXb2U0xwadrsSbS1zjcJ6rdbtsQLPk<br>
V1vgw/f3Eu2ZNeWGu4Q5ZkIHjL+iHj8+kHFfT92fbWjhsaklkdKfT9owZZTGVl/Z<br>
etBMNvt18gi6IosqVWWDdniFRw/byjsBqYiUFnqejkzJkylQy/vn2A==<br>
=bJtL<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br>