HTML smuggling is a way to have the target download files without the web application firewall or AV taking action on any URL (because there won’t be any). The file is usually embedded into the webpage’s JavaScript code.
Example
The sample HTML code below demonstrates HTTP smuggling. After initializing
file
variable with the base64-encoded file contents, host the HTML. Any client that accesses the page will automatically download the embedded file.
Downloaded file does not bypass Windows Defender / SmartScreen
Files downloaded this way will still have the mark of the web.