RE: [SAtalk] More HTML Obfuscation: This One Made It Through

Mon, 13 Oct 2003 20:53:04 -0700 

Larry Gilson <[EMAIL PROTECTED]> wrote:

> ### I wrapped the rawbody line to keep the integrity of the
> ### rule.
> # Invisible text color in font tag
> rawbody  MY_RBDY_INVSTXT    
>    /<font.* color=("?\#?FFFFF[0-9A-F]"?|"?white"?).*>/i
> describe MY_RBDY_INVSTXT    MY: Invisible text color
> score    MY_RBDY_INVSTXT    2.0

That should work.  Ultimately it would be better taken care of 
with the other FONT rules.  It should really be caught by 
HTML_FONT_INVISIBLE.

> # Obfuscate text by using ISO 8859-1 character set DEC encoding
> rawbody  MY_RBDY_OBFU_ISOD 
> /&\#(6[5-9]|[7-9][0-9]|1[0-1][0-9]|12[0-6])\D/ describe
> MY_RBDY_OBFU_ISOD  MY: OBFU text with ISO DEC set score   
> MY_RBDY_OBFU_ISOD  4.0
> 
> If you ever get HEX encoding, you can use:
> # Obfuscate text by using ISO 8859-1 character set HEX encoding
> rawbody  MY_RBDY_OBFU_ISOH 
> /\%(4[1-9]|[5-7][0-9]|[4-6][A-F]|7[A-E])\D/i describe
> MY_RBDY_OBFU_ISOH  MY: OBFU text with ISO HEX set score   
> MY_RBDY_OBFU_ISOH  4.0

You're confusing two things in those two rules.  The difference 
isn't decimal versus hexadecimal -- it's that the first is HTML 
escaping and the second is URL escaping.

The second one should mostly already be caught by 
HTTP_EXCESSIVE_ESCAPES, since URL escaping really only works in 
URLs.  If you have examples where it's not being caught, I'd 
like to see them.

It is possible to use hexadecimal numbers in HTML escaping, 
though, and you're not catching that.  For example, 'A' instead 
of being '&#65;' can be represented as '&#x41;'.  You could 
combine parts of your two regexes to match those.  Also, you 
can have leading 0's in the numbers, so '&#65;' can be written 
as '&#065;' (or '&#0065;' or maybe '&#000000000000000000065;').

-- 
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to