Attachment: HTML smuggling with raw array buffer
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with raw array buffer"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4references:
5 - "https://playground.sublimesecurity.com?id=1c9531ea-f25b-41dc-9aeb-848a211293fb"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 any(.scan.strings.strings,
18 // arrayBuffer, eg repetition:
19 // [0xa0,0x8e,0xd0,0x60,...]
20 regex.icontains(., '(\W?0x[a-zA-Z0-9]{2}\W?,\s*){100}')
21 )
22 and any(.scan.strings.strings, strings.contains(., ".map"))
23 )
24 )
25attack_types:
26 - "Credential Phishing"
27 - "Malware/Ransomware"
28tactics_and_techniques:
29 - "Evasion"
30 - "Free subdomain host"
31 - "HTML smuggling"
32detection_methods:
33 - "Archive analysis"
34 - "Content analysis"
35 - "File analysis"
36 - "Javascript analysis"
37id: "a0d5c3dc-0763-5579-919e-456e5a37bd6f"