Signature Detail

Short Name	HTTP:STC:JS-DATA-SCHEME
Severity	Medium
Recommended	Yes
Recommended Action	Drop
Category	HTTP
Keywords	Javascript inspection bypass
Release Date	2012/12/05
Update Number	2208
Supported Platforms	idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: JavaScript "data:" URL Scheme Source

This signature detects the download of a HTML document containing JavaScript using the "data:" URL scheme. This scheme is defined in RFC2397 and is a legitimate usage of HTML. However, attackers can use the scheme to first embed malware in a Web page, then bypass specific filters that normally detect such a delivery.

References

URL: http://nakedsecurity.sophos.com/2012/12/03/how-tumblr-worm-worked/
URL: http://www.ietf.org/rfc/rfc2397.txt

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

HTTP: JavaScript "data:" URL Scheme Source

References