IBM Support

Tuning for HTML_Script_Extension_Evasion

Technote (FAQ)


Question

What tuning parameters are available for HTML_Script_Extension_Evasion?

Answer

XPU 33.060 (released on June 11, 2013) included a new tuning parameter, pam.html.script.extension.whitelist, that works in conjunction with pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.

HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.

By default, the following list of extensions are blacklisted:

  • avi
  • css
  • docx
  • eot
  • gif
  • ico
  • jpeg
  • jpg
  • mid
  • mov
  • mp3
  • mpg
  • pdf
  • png
  • ppt
  • ps
  • swf
  • tif
  • xls

If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=jpg
  • pam.html.script.extension.whitelist.2=mpg
  • pam.html.script.extension.whitelist.x=ppt

If you would like to blacklist any additional extensions that are not in the default list, you can add the pam.html.script.extension.blacklist parameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.blacklist.1=txt
  • pam.html.script.extension.blacklist.2=bmp
  • pam.html.script.extension.blacklist.x=rtf




Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Protocol Analysis Module (PAM) Firmware Version Independent
Security Proventia Network Multi-Function Security Protocol Analysis Module (PAM) Firmware Version Independent
Security IBM Security Host Protection General Information AIX, HP-UX, Linux, Windows Version Independent

Document information

More support for: IBM Security Network Intrusion Prevention System
Protocol Analysis Module (PAM)

Software version: Version Independent

Operating system(s): Firmware

Reference #: 1641106

Modified date: 2013-06-18