|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alla Bezroutchko (alla
scanit.be)Date: Fri Feb 15 2002 - 11:20:11 CST
I've accidently found a way to bypass IDS detection for HTTP
requests. I've seen this behaviour on some older version of
IIS RealSecure network IDS and I wonder if this works on any
other IDSes.
That particular IDS was set up to reset connections that match
attack signatures, so I could see immediately if it was detected
or not:
Request:
GET /cgi-bin/phf HTTP/1.0
Connection reset
Request:
GET /cgi-bin/phf
Connection reset
Request:
GET /cgi-bin/phf HTTP/12.0
Connection not reset, HTTP server replies "version not supported"
Request:
GET /cgi-bin/phf HTTP/0.9
Connection not reset, HTTP server replies "file not found"
Apparently the last form of request allows to get a meaningful
reply from HTTP server while IDS does not mind it.
Apache and Netscape Entriprise will happily reply to the last
form of request, didn't try it on other web servers.
Alla.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]