RE: forbidden functions on client-side scripts

Is your content filter actively executing the VBScript and JavaScript code (and in which environment using which scripting host and which script interpreter?) and analyzing whatever strings it contains after execution? If not, you have only gained a false sense of security.

Any practical reallife exploitation of these 'forbidden' functions would most surely involve anything from simple to advanced string obfuscation, such as generating the function call or object reference dynamically or producing the code to be executed from compressed strings that are recreated and evaluated at runtime. Since your content filter merely does simplistic string matching, not unlike most AV vendors when they filter 'nasty' POC code from Bugtraq, it will only detect the most crudest attempts from the most inexperienced script kiddie.

Other than that, the only functions in your list that are actual VBScript and JScript functions are CreateObject and ActiveXObject, the rest are methods that exist on commonly used ActiveX object - after their successful instantiation.

Regards
Thor Larholm

-----Original Message-----
From: Shimon Silberschlag [mailto:shimons@bll.co.il] Sent: 11. december 2002 18:06
To: webappsec@securityfocus.com
Subject: forbidden functions on client-side scripts

Some products that are used as content filters for the HTTP traffic used by internal users, have the ability to block certain "dangerous" functions used on client side scripts from getting to the internal client. Attached is the default function list used by such a product. Since I'm not a programmer, can someone tell me if this list is complete/overkill/lacking and what other functions that are dangerous/benign should I consider adding/dropping from the list. The list is given for VBscript and Javascript separately.

[VB SCRIPT]

Forbidden
words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File Exist,
GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open textfile,CreateTextRange,
OpenAsTextStream,DeleteFile,CopyFile,RegWrite

[JAVA SCRIPT]

Forbidden
words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

TIA, Shimon Silberschlag

+972-3-9352785
+972-51-207130 Received on Fri Dec 13 08:11:41 2002