HTML Smuggling for Data Infiltration

Hello and happy new year! Today in this short blogpost we will be looking at a very simple but effective attack called HTML Smuggling. Briefly put this technique abuses HTML5 and JavaScript functions to infilitrate or exfiltrate data across and out of the network. This would also be classified as more of a phishing attack as it would rely on human interaction if you were looking for initial access or something similar.

 

 

Jumping right in we see the HTML and JavaScript code necessary to make this work (credit to ired.team & outflank.nl), we can see it loads our file in base64 into an array, goes through a few other initializations, and has it eventually downloaded onto the victim's machine through the browser. (Note the 2 variables that need to be replaced for your own testing)

To get the base64 of our target PE we need to simply run the command below:

Once we have initialized that variable with our base64 output our HTML file is ready to be hosted on a webserver and sent to our victim as an HTML link. Also you will need to have the executable file you encoded in the same directory as the HTML file you are hosting on the server. 

To start up a simple HTTP server to host locally use the following command:

Once the victim browsers to the server the file will automatically be downloaded to the victims machine as seen in the picture below:

All that would then be left is the victim to execute the file. This is just one of many ways to primarily infiltrate data into a network through what is mostly always an active and unfiltered port. I hope you see this as something useful to add to your red teaming arsenal, cheers :)

 

:LINKS:

https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript

Gemini Security - Understanding HTML Smuggling (VIDEO) 

https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841