Attachment: HTML Attachment with Javascript location

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect HTML smuggling techniques.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML Attachment with Javascript location"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques.
 4type: "rule"
 5severity: "high"
 6authors:
 7  - twitter: "vector_sec"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15          )
16          and .size <= 5000
17          and any(file.explode(.),
18                  any(.scan.javascript.identifiers, . == "location")
19                  and length(.scan.javascript.identifiers) < 100
20          )
21  )  
22attack_types:
23  - "Credential Phishing"
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Evasion"
27  - "HTML smuggling"
28  - "Scripting"
29detection_methods:
30  - "Archive analysis"
31  - "Content analysis"
32  - "File analysis"
33  - "Javascript analysis"
34  - "HTML analysis"
35id: "e0611295-afb2-5766-ac37-00fe81253487"
to-top