TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

881

882

883

884

885

886

887

888

889

890

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

887

dynamically. Scripting language can be javascript, vbscript etc,. Attacker injects miscellaneous DOM Properties and

methods to manipulate HTML Document at the client side.

Signature ID: 35119

Typical Script functions Possible evasion

Threat Level: Severe

Bugtraq: 29025,29191,29571,29574

Signature Description: This rule hits when downloaded document contains typical script functions like exec. Attacker

may tries to bypass security systems by using typical script functions. Successful attempt provides admin access on the

affected system.

Signature ID: 35120

Javascript object properties and methods

Threat Level: Severe

Bugtraq: 29025,29571

Signature Description: This Rule hits when downloaded html document contains possible memory corruption functions

such as resizeto found. Attacker uses some dangerous functions to steal cookies, or redirects the url from one location

to another by these functions.

Signature ID: 35121

Javascript object properties and methods

Threat Level: Severe

Bugtraq: 29025,29571

Signature Description: This Rule hits when downloaded html document contains array properties and methods such as

push, pop etc, found. These functions may cause the receiver’s browser to crash and may execute arbitrary code

on the victims machine.

Signature ID: 35122

Suspicious JavaScript string properties and methods

Threat Level: Severe

Signature Description: This rule hits when HTTP Response with javascript with suspicious functions. By this functions

attackers can generate malicious code at the victims machine.

Signature ID: 35123

JavaScript language constructs

Threat Level: Severe

Signature Description: This Rule hits when http response contains javascript constructs. Using cross side scripting

attack, an attacker can pass his own javascript on to the vulnerable system. This rule hits for the javascript constructs

for any of return, globalStorage, sessionStorage, postMessage, callee,constructor, content,domain, prototype, try, catch,

top, call, apply, with, function, object, array, string, math, if, elseif, case, switch, regex, boolean, location, settimeout,

setinterval, void.

Signature ID: 35124

Basic Cross-Site Scripting attempt

Threat Level: Severe

Signature Description: This rule hits when basic cross site scripting techniques like printing attacker’s content

on the affected webpage using document.write methods.