To evade static analysis, the document body can returned hex encoded in the response where JavaScript can decode it and append it to the DOM.
This helps defeat simple scanners which don't evaluate JavaScript.
title: Hex-encoded document body
description: |
To evade static analysis, the document body can returned hex encoded in the response
where JavaScript can decode it and append it to the DOM.
This helps defeat simple scanners which don't evaluate JavaScript.
detection:
documentWriteUnescape:
html|contains: "document.write(unescape("
condition: documentWriteUnescape
tags:
- anti-analysis