Security Researcher to Reveal New Web Attack Vector

Security researcher Stephan Chenette of Websense says he has found a new way to slip Web exploits by client or gateway defenses. He calls the technique script fragmentation and says the attack vector is similar to the TCP fragmentation attacks that gained notoriety years ago. Chenette will make a presentation of his findings next week at the PacSec security conference in Tokyo.

Security researcher Stephan Chenette has reincarnated an old attack vector, giving it a new twist and a new name.

Chenette, manager of security research at Websense, has dubbed the new attack vector "script fragmentation" and will be making a presentation on it next week at the PacSec Applied Security Conference in Japan. Though he was mum on the specific details of his research, he provided eWEEK with a general outline of his findings.

His attack method is reminiscent of TCP fragmentation attacks and involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade signature detection. According to Chenette, the attack can be performed without any special tools or add-ons.

"There's no big chunk of maliciousness to it [where] there's enough information there that anybody who's looking at it, either signature or [with behavioral analysis], will really make any sense of it to say, -this is malicious,'" he explained.

Chenette said he tested the technique on all the major browsers, including Internet Explorer, Firefox and Safari, and found all were susceptible. Strictly speaking, however, it is not a browser vulnerability - it only takes advantage of the way Web browsers and applications operate.

"I'm calling this a script fragmentation attack because it makes use of the common technologies that are completely available today - JavaScript, VBScript, any type of scripting language - and the other readily available technologies that allows us just to conduct traffic back and forth. We can do it in smaller pieces, and at one end concatenating all the information and then triggering the attack."

The attack scenario could be a one-to-one relationship where a client contacts a Web server and gets the malicious content in little bits and pieces, or a situation where an attacker uses a botnet to have a few thousand machines serve the client pieces of the malware from various locations, Chenette explained.

Disabling scripting would affect it, but the non-static nature of today's Web makes that unpractical.

"If you were to turn off JavaScript, you couldn't go to Gmail and use it in the way that it's meant to be used," he said. "You couldn't go to Facebook...hi5, all these are top 50 Web sites that are used by all users for business purposes as well as personal use. So JavaScript and scripting languages in general and the mechanisms that the script fragmentation attack relies on are all mechanisms that everyday, benign applications use - and that's actually why it's so successful. All the components that script fragmentation relies on are components that are used in everyday Web sites and they are used in the exact same way that everyday Web sites use them."

So far, the attack method has not been seen by Websense in the wild. However, with security vendors starting to get over the hump in regards to detecting malware obfuscation, this type of attack are on the horizon, Chenette said.

"This is really in my eyes an attack that we're going to be seeing a lot more of in the future," he said. "This is something that currently we're not seeing, but is completely right now as it stands in the hands of any attacker that wants to make use of it."