Tuning for HTML_Script_Extension_Evasion
What tuning parameters are available for HTML_Script_Extension_Evasion?
XPU 33.060 (released on June 11, 2013) included a new tuning parameter,
pam.html.script.extension.whitelist, that works in conjunction with
pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.
HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.
By default, the following list of extensions are blacklisted:
If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
If you would like to blacklist any additional extensions that are not in the default list, you can add the
pam.html.script.extension.blacklistparameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
|Security||Proventia Virtualized Network Security Platform||Protocol Analysis Module (PAM)||Firmware||Version Independent|
|Security||Proventia Network Multi-Function Security||Protocol Analysis Module (PAM)||Firmware||Version Independent|
|Security||IBM Security Host Protection||General Information||AIX, HP-UX, Linux, Windows||Version Independent|
More support for:
IBM Security Network Intrusion Prevention System
Protocol Analysis Module (PAM)
Software version: Version Independent
Operating system(s): Firmware
Reference #: 1641106
Modified date: 18 June 2013
Translate this page: