Tuning for HTML_Script_Extension_Evasion

Technote (FAQ)


Question

What tuning parameters are available for HTML_Script_Extension_Evasion?

Answer

XPU 33.060 (released on June 11, 2013) included a new tuning parameter, pam.html.script.extension.whitelist, that works in conjunction with pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.
HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.

By default, the following list of extensions are blacklisted:

  • avi
  • css
  • docx
  • eot
  • gif
  • ico
  • jpeg
  • jpg
  • mid
  • mov
  • mp3
  • mpg
  • pdf
  • png
  • ppt
  • ps
  • swf
  • tif
  • xls

If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=jpg
  • pam.html.script.extension.whitelist.2=mpg
  • pam.html.script.extension.whitelist.x=ppt


If you would like to blacklist any additional extensions that are not in the default list, you can add the pam.html.script.extension.blacklist parameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=txt
  • pam.html.script.extension.whitelist.2=bmp
  • pam.html.script.extension.whitelist.x=rtf



If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.


Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Firmware 3.1, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6
Security IBM Security Network Intrusion Prevention System Firmware 4.1, 4.3, 4.4, 4.5, 4.6
Security Proventia Network Multi-Function Security Firmware 3.14, 3.15, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6
Security IBM Security Host Protection AIX, HP-UX, Linux, Windows 2.2.2, 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4, 1.0.0, 1.5.0 All Editions

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

1.8, 2.3, 2.4, 2.5, 3.1, 3.2, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6

Operating system(s):

Firmware

Reference #:

1641106

Modified date:

2013-06-18

Translate my page

Machine Translation

Content navigation