Tuning for HTML_Script_Extension_Evasion

Technote (FAQ)


What tuning parameters are available for HTML_Script_Extension_Evasion?


XPU 33.060 (released on June 11, 2013) included a new tuning parameter, pam.html.script.extension.whitelist, that works in conjunction with pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.

HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.

By default, the following list of extensions are blacklisted:

  • avi
  • css
  • docx
  • eot
  • gif
  • ico
  • jpeg
  • jpg
  • mid
  • mov
  • mp3
  • mpg
  • pdf
  • png
  • ppt
  • ps
  • swf
  • tif
  • xls

If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=jpg
  • pam.html.script.extension.whitelist.2=mpg
  • pam.html.script.extension.whitelist.x=ppt

If you would like to blacklist any additional extensions that are not in the default list, you can add the pam.html.script.extension.blacklist parameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=txt
  • pam.html.script.extension.whitelist.2=bmp
  • pam.html.script.extension.whitelist.x=rtf

IBM Network IPS Documentation IBM Infrastructure Security Forums IBM Security Support Channel on YouTube IBM Fix Central Fixes and Updates IBM Security License Key and Download Center Subscribe to My Notifications for Important Product Alerts IBM Security Contact Support

Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Not Applicable Firmware 3.1, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6
Security Proventia Network Multi-Function Security Protocol Analysis Module (PAM) Firmware 3.14, 3.15, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6
Security IBM Security Host Protection General Information AIX, HP-UX, Linux, Windows 2.2.2, 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4, 1.0.0, 1.5.0

Document information

More support for:

IBM Security Network Intrusion Prevention System
Protocol Analysis Module (PAM)

Software version:

1.8, 2.5, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6, 4.6.1, 4.6.2

Operating system(s):


Reference #:


Modified date:


Translate my page

Content navigation