RE: Ain't the HTTP Filter Just The Kewlest Ever?!?

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 6 Jan 2005 07:18:17 -0800

P#1 - Stuff & Nonsense; RFC-2616 specifically forbids this.  The idea
that you need <CR><LF> in a request URL is nothing more than one of my
favorite forms of web dev laziness.  My standard response to this is
"Learn to use the "POST" method when you need to send data to the
server.".

P#2 - agreed; I've been arguing for RegEx functionality in ISA since ISA
2K B2.  Unfortunately, performance and stability are prime concerns
here.  Since there are no "standard" RegEx libraries, you'd have to
dedicate resources to test and evaluate the existing custom libraries.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: David Farinic [mailto:davidf@xxxxxxx] 
Sent: Thursday, January 06, 2005 2:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!?

http://www.ISAserver.org

>When decoded, "%0A%0D" translates to <CR><LF>; something that should
NEVER exist in a URL.
Why NEVER? If you referring to cross site scripting or HTTP Response
Splitting attack or Cache poisoning
That is matter of server app to filter request data its not made for
(i.e. sanitize request data). I saw web apps where you could have %0A%0D
directly in url as parameter just to add line to posted comment(all
other tags been filtered). 
>Ain't the HTTP Filter Just The Kewlest Ever?
Yes it is cool...but as ISA server itself advise patterns checking might
slow down your ISA. I believe its is due to search method coded for this
pattern matching. IMHO It is just for temporary/small  blocking rules
rather than for building bigger http exploits blocking signature system.

Some fast regex checking in http header would be nice :-). 
 
 
________________________________

From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, January 06, 2005 5:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Ain't the HTTP Filter Just The Kewlest Ever?!?
 
http://www.ISAserver.org
I was wandering through my ISA logs (I have no life; I admit it) and I
discovered a crappy little trick Fandango is using to insert ads into
your browser (Steve; you reading?):
 
http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E%
0D%0A%0A%3C%21--%0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20n
ew%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remote%20ser
vers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.strNUrl
%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0-0%3B
0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%253fhttp%3A//
m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20n
ew%20Object%28%29%3B%0AgEbAd.interactions%5B%22_eyeblaster%22%5D%20%3D%2
0%22ebN%3Dhttp%3A//ad.doubleclick.net/click%253Bh%3Dv3%7C31f4%7C2%7C0%7C
%252a%7Cm%253B12979394%253B0-0%253B0%253B5755652%253B1-468%7C60%253B8301
289%7C8319185%7C1%253B%253B%257Esscs%253D%253fhttp%3A//m3.doubleclick.ne
t%3B%22%3B%0A//--%3E%3C/script%3E%3Cscript%20src%3D%27http%3A//ds.servin
g-sys.com/BurstingScript/ebServing.js%27%3E%3C/script%3E
<http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E
%0D%0A%0A%3C%21--%0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20
new%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remote%20se
rvers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.strNUr
l%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0-0%3
B0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%253fhttp%3A/
/m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20
new%20Objec> 
 
..luckily, since I run my own blocking scripts, the HTTP Filter saw the
"%0D%0A" sequence and said "hell NO!"
            "12217 0x80     Blocked by the HTTP Security filter: URL
contains sequences which are disallowed"
 
..ok; you may ask - what does "%0D%0A " mean to me?
When decoded, "%0A%0D" translates to <CR><LF>; something that should
NEVER exist in a URL.
There are also other characters that are normally associated with a
technique called "script injection"; a method whereby the sender tricks
your browser or server into doing something you'd really rather it
didn't.
Those characters are shown as "script" and "/script" surrounded by "%3C"
and "%3E"; "<" and ">", respectively.  This is an older (pretty useless,
too) script injection method.
They also try to obfuscate (developer term used to obfuscate the meaning
of the conversation) other characters that might trigger filtering
mechanisms, such as:
"http%3A//" (translates to http://).
 
Since none of my current scripts include the "%3Cscript" sequence, I'll
create another blocking definition and post it.

Needless to say, Fandango just made the top of my sh1tlist...
 
  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
davidf@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 
All mail to and from this domain is GFI-scanned.
  
This mail was checked for viruses by GFI MailSecurity. GFI also develops
anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker),
and network security and management software (GFI LANguard) -
www.gfi.com 

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?

1. Home
2. isalist
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---