Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "IDS evasion"

From NetSec
Jump to: navigation, search
(Filter Evasion)
(Filter Evasion)
Line 6: Line 6:
  
 
{{main| Unsafe string replacement}}
 
{{main| Unsafe string replacement}}
 +
 +
Many intrusion detection systems use string replacement in order to filter "dangerous" strings. For example, in the context of a web application, the '../' string may be filtered from the URI in order to prevent directory traversal. However, if the filter is badly implemented it is possible to redirect it by fooling it into altering a string so that what is left behind contains the real payload. For example, if '../' is being filtered out an attacker could inject '....//' - in this case, the ../ would be removed from the string, causing '....//' to be replaced by '../'.
 +
 +
Some intrusion detection systems attempt to thwart this by performing multiple checks for unsafe strings - however, this method is not reliable, as an attacker can simply add more dummy strings until they achieve the desired result. The proper way to handle this kind of injection is to perform a loop-based or recursive check that continually checks the string until no unsafe checks are found.
  
 
{{expand}}
 
{{expand}}

Revision as of 02:28, 4 June 2012

Introduction

Intrusion Detection System evasion is the process of evading a host or network layer intrusion detection system by various means. 'IDS' is a broad term, and refers to intrusion detection systems across many systems - from web applications to intrusion detection systems on a computer - a commonly known example of an IDS is a Firewall or anti-virus system. Any system that has any kind of connection to the outside world can be protected with an IDS, but as most intrustion detection systems are based on evading known methods of intrusion, they can often be thwarted by a skilled professional.

Filter Evasion

Main article: Unsafe string replacement

Many intrusion detection systems use string replacement in order to filter "dangerous" strings. For example, in the context of a web application, the '../' string may be filtered from the URI in order to prevent directory traversal. However, if the filter is badly implemented it is possible to redirect it by fooling it into altering a string so that what is left behind contains the real payload. For example, if '../' is being filtered out an attacker could inject '....//' - in this case, the ../ would be removed from the string, causing '....//' to be replaced by '../'.

Some intrusion detection systems attempt to thwart this by performing multiple checks for unsafe strings - however, this method is not reliable, as an attacker can simply add more dummy strings until they achieve the desired result. The proper way to handle this kind of injection is to perform a loop-based or recursive check that continually checks the string until no unsafe checks are found.

This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.