Attachment: HTML Attachment with Javascript location
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML Attachment with Javascript location"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4type: "rule"
5severity: "high"
6authors:
7 - twitter: "vector_sec"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and .size <= 5000
17 and any(file.explode(.),
18 any(.scan.javascript.identifiers, . == "location")
19 and length(.scan.javascript.identifiers) < 100
20 )
21 )
22attack_types:
23 - "Credential Phishing"
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Evasion"
27 - "HTML smuggling"
28 - "Scripting"
29detection_methods:
30 - "Archive analysis"
31 - "Content analysis"
32 - "File analysis"
33 - "Javascript analysis"
34 - "HTML analysis"
35id: "e0611295-afb2-5766-ac37-00fe81253487"