IBM Support What's New?

Tuning for HTML_Script_Extension_Evasion

Technote (FAQ)


Question

What tuning parameters are available for HTML_Script_Extension_Evasion?

Answer

XPU 33.060 (released on June 11, 2013) included a new tuning parameter, pam.html.script.extension.whitelist, that works in conjunction with pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.

HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.

By default, the following list of extensions are blacklisted:

  • avi
  • css
  • docx
  • eot
  • gif
  • ico
  • jpeg
  • jpg
  • mid
  • mov
  • mp3
  • mpg
  • pdf
  • png
  • ppt
  • ps
  • swf
  • tif
  • xls

If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=jpg
  • pam.html.script.extension.whitelist.2=mpg
  • pam.html.script.extension.whitelist.x=ppt


If you would like to blacklist any additional extensions that are not in the default list, you can add the pam.html.script.extension.blacklist parameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=txt
  • pam.html.script.extension.whitelist.2=bmp
  • pam.html.script.extension.whitelist.x=rtf






Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Not Applicable Firmware 3.1, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6
Security Proventia Network Multi-Function Security Protocol Analysis Module (PAM) Firmware 3.14, 3.15, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6
Security IBM Security Host Protection General Information AIX, HP-UX, Linux, Windows 2.2.2, 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4, 1.0.0, 1.5.0

Document information

More support for: IBM Security Network Intrusion Prevention System
Protocol Analysis Module (PAM)

Software version: 1.8, 2.5, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6, 4.6.1, 4.6.2

Operating system(s): Firmware

Reference #: 1641106

Modified date: 2013-06-18