Attachment: HTML smuggling with eval and atob
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with eval and atob"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .file_extension in~ $file_extensions_common_archives
12 or .file_type == "html"
13 )
14 and any(file.explode(.),
15 // usage: onerror="eval(atob('
16 any(.scan.strings.strings, regex.imatch(., ".*eval.{1,4}atob.*"))
17 )
18 )
19attack_types:
20 - "Credential Phishing"
21 - "Malware/Ransomware"
22tactics_and_techniques:
23 - "Evasion"
24 - "HTML smuggling"
25 - "Scripting"
26detection_methods:
27 - "Archive analysis"
28 - "Content analysis"
29 - "File analysis"
30 - "HTML analysis"
31 - "Javascript analysis"
32id: "9f521ca2-2141-5373-86b1-e3cf8ed8d633"