Security Best Practice: Protect Yourself from JavaScript Obfuscation Techniques
| Check Point Reference: | SBP-2009-17 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | IPS Research Center | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Web Browsers | ||
| Vulnerability Description Although various security products provide coverage against many web vulnerabilities, such as ActiveX exploits, these known exploits could potentially bypass security products by using JavaScript obfuscation techniques. An example of such a technique is percent-encoding, also known as URL encoding, which is a mechanism for encoding information in a Uniform Resource Identifier (URI). |
||
|
Vulnerability Details Such techniques obfuscate known exploits so they will bypass security rules - since the exploits are being thoroughly obfuscated, IDS and IPS systems will not recognize them and thus will allow them to pass without any notification. |
Protection Overview
IPS offers the following protections:
JavaScript Percent-Encoding Obfuscation
This protection triggers when the code contains malicious percent-encoding, such as deliberate unicode encoding.
JavaScript Unescape Synonym Obfuscation
This protection triggers when the Javascript 'unescape' function has been deliberately renamed using statement similar to "var = unescape".
JavaScript Document.Write Synonym Obfuscation
This protection triggers when the Javascript 'document.write' function has been deliberately renamed using statement similar to "var = document.write".
Please note that this protection may cause false positives by blocking legitimate traffic. We are working on solving this issue.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.