[Discussion] new thread: biggest threats

Wed Oct 22 14:19:20 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Correct, but the problem with JS is that it is an extremely expressive 
language.  One that in conjunction with the DOM provides a nearly 
infinite number of ways to shovel an exploit to vulnerable browser, 
kernel, or third party code.  That is the fundamental problem with IDS 
when attempting to detect/block these sorts of exploits at this layer. 
While I agree that your suggestion would be helpful it IMHO has no place 
on the network for sheer performance reasons alone (can you imagine 
trying to emulate a full DOM/JS engine at wire speed).   Browsers can 
barely keep up with the onslaught of horribly written JS code, much less 
purposefully obfuscated or obtuse JS that hides an exploit.   This is a 
topic that I have dedicated some thought to over the last three years so 
I would love to hear everyones ideas on the subject. 

Andre Ludwig

Martin Holste wrote:
> Right, just like a network is a means, not an end.  You inspect the network because you know the threats have to traverse it, and I would argue that similarly, there is value in inspecting Javascript because like the network, it is ubiquitously involved in malicious activity.  I'm suggesting a JIDS as a plugin to a NIDS. 
>   On Wed, Oct 22, 2008 at 8:59 AM, Andre Ludwig  < aludwig at packetspy.com> wrote:  
>
> * PGP Bad Signature, Signed by an unverified key: 10/22/08 at 09:59:22
>
> JS is a means, not an end. 
>  
> Andre 
>
>   

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.0 (Build 397)
Charset: ISO-8859-1

wsBVAwUBSP82asjAfVnRK9hXAQgJmwf9Gl+a9xhnH/SOwphSa/3wNqWMhQ+Od+3S
crAMZpO9XIiKuo4UdC+L13T2wQ38H5flnrq0bwQcQ8//AcZVeU6tSiy1xWR5chOd
36I9T675FrzdQtUWBp+lKsLiotubAcjgWvWVyw65tB27gUaIojzISMqm6XHVlfW3
2IDZZoo/mzPSkOnX44tO70i0kCKY5hBaJ9JlQfAW4giW7Q1Y+MTHUYm25npYrD8i
mWgsEbTGUlBwM6JgNnDTFgRM6riOHw1GOdcZjm6/THSTjYz5IaItUyMD6SwEzOgE
igxaOzT2V77zJKs4b9P8Xj1jCTZztkl45hbSFaOdYhB3rVTk0us73Q==
=UtkX
-----END PGP SIGNATURE-----