JavaScript large number of unescape patterns detected (JavaScript_Large_Unescape)

About this signature or vulnerability

IBM Security Network Protection, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This event triggers when a JavaScript 'unescape()' function with a large amount of escaped data is detected. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser vulnerability.

This signature detects an 'unescape' JavaScript function with a large amount of escaped data. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser bug.


False positives

IBM Security Network Protection, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor: Usage of the 'unescape()' function containing large amounts of non-malicious but encoded data will cause this event to trigger. Legitimate usages of the 'unescape' function will cause this signature to but trigger.

False negatives

IBM Security Network Protection, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor: Very small, but potentially malicious 'unescape()' instances, will not trigger this event.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Network Protection: 5.1, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 28.010, Proventia Network IPS: XPU 28.010, Proventia Network MFS: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network IDS: XPU 28.010, IBM Security Host Protection for Desktops: 2140, Virtual Server Protection for Vmware: 1.0, IBM Security Host Protection for Servers (Windows): 1.0.914.2140, IBM Security Host Protection for Servers (Windows): 2.0.252.2140, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, RealSecure Server Sensor: XPU 28.010

Systems affected

IBM AIX, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

JavaScript function unescape() is used to translate escaped (or encoded) data into normal strings. A large number of escaped patterns have been detected within an unescape() function. This could indicate an attempt to take control of a system, or it may indicate attempt to obfuscate benign JavaScript or HTML instructions.

How to remove this vulnerability

Investigate the source data which triggers the event and block the traffic.

References

ISS X-Force
JavaScript large number of unescape patterns detected
http://www.iss.net/security_center/static/39049.php