Attachment: HTML smuggling with raw array buffer

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect HTML smuggling techniques.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with raw array buffer"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques.
 4references:
 5  - "https://playground.sublimesecurity.com?id=1c9531ea-f25b-41dc-9aeb-848a211293fb"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15          )
16          and any(file.explode(.),
17                  any(.scan.strings.strings,
18                      // arrayBuffer, eg repetition:
19                      // [0xa0,0x8e,0xd0,0x60,...]
20                      regex.icontains(., '(\W?0x[a-zA-Z0-9]{2}\W?,\s*){100}')
21                  )
22                  and any(.scan.strings.strings, strings.contains(., ".map"))
23          )
24  )  
25attack_types:
26  - "Credential Phishing"
27  - "Malware/Ransomware"
28tactics_and_techniques:
29  - "Evasion"
30  - "Free subdomain host"
31  - "HTML smuggling"
32detection_methods:
33  - "Archive analysis"
34  - "Content analysis"
35  - "File analysis"
36  - "Javascript analysis"
37id: "a0d5c3dc-0763-5579-919e-456e5a37bd6f"
to-top