HTML smuggling is a technique for bypassing perimeter security devices by generating malicious HTML behind the firewall – within the browser on the target endpoint.

HTML Smuggling techniques sidestep traditional network security solutions such as email scanners, proxies and sandboxes by using the features of HTML5 and Javascript.  This is done by generating the malicious HTML code within the browser on the target device which is already inside the security perimeter of the network.  Most network security solutions work by monitoring the ‘wire’ or flow of data in and out from the network looking for patterns and signatures of known or suspected malware within the byte-stream.  By using HTML Smuggling, the malicious payload is constructed within the browser on the target device so no objects are transferred over the wire for the network perimeter security systems to detect.

The goal of HTML Smuggling is to deliver a malicious payload to the target device, and this is usually done using either a download via a Data URL (data: ) or by creating a Javascript blob with the appropriate MIME type to trigger a download to the client device.   The Duri malware, for example, uses the Javascript blob technique to create and download the malicious payload to the target device.

When triggered by visiting a malicious website, the Duri preloader uses Javascript to create a ZIP file and deposit it onto the target PC.  The user must then be tricked into opening the ZIP file.  If this happens then the contents of the ZIP file is invoked: a Windows Installer package which will install the malware payload onto the target device.

How does HTML smuggling work?

HTML smuggling is made possible with the HTML5 ‘download’ attribute for anchor tags.  When a user clicks on the HTML link it triggers a download of the file referenced in the href tag. For example:

<a href="/malware/evil.doc" download="innocent.doc">Click</a>

When a user clicks on the link, the file ‘evil.doc’ would be saved to the device and named ‘innocent.doc’.

The same can be achieved using Javascript:

var myAnchorElement = document.createElement('a');
myAnchorElement.download = 'innocent.doc';

When working with Javascript, the file to be downloaded can be created by using a Javascript Blob. A Blob is a representation of raw data that can be passed to a Javascript API that is expecting a URL.  So instead of providing a URL link to the file that needs to be downloaded, it can be created from a blob within the Javascript itself.

var myEvilBlob = new Blob([myEvilFile], {type: 'octet/stream'});

Finally by creating an URL using the URL.createObjectURL command and then invoking the click action from within the Javascript, we mimic the user clicking on the link and starting the file download:

var myInnocentUrl = window.URL.createObjectURL(myEvilBlob);
myAnchor.href = myInnocentUrl;
myAnchor.click();

This technique is effective because all the perimeter firewall sees is expected traffic – HTML and Javascript – and the Javascript can be obfuscated to hide the contents of the blob.

If the downloaded file created from the Blob were an Excel document containing a malicious macro it would not have been transmitted over the wire or spotted by the network security systems as the Excel file did not exist until the Javascript blob was decoded within the target browser.

How is HTML Smuggling Used?

Menlo Security has recently described how the Duri malware has adapted to use HTML smuggling to avoid detection since July 2020.  The malware dropped by Duri has previously been delivered using Dropbox links and, speculates Menlo Security, the change in delivery method is probably an attempt to improve the successful compromise rates of the target endpoints.

Which all leads to the obvious question – how can you defend against HTML smuggling techniques?

How to defend against HTML Smuggling

It is not feasible to disable Javascript in most environments as too many legitimate systems and web applications require its use.  It is almost impossible to identify malicious Javascript as it flows down the wire as the same JavaScript code can be obfuscated in many different ways and so content  or signature matching will be challenging to do. In addition, many legitimate JavaScript frameworks make use of obfuscation techniques in order to minimise file sizes and improve the speed of web applications so simply blocking obfuscated Javascript is not really an option either.

The focus then turns to the targeted endpoints which receive the smuggled content.

A good network security design uses multiple layers of security provided by different technologies in order to achieve ‘defence in depth.’ So even if malware makes it past the network perimeter it could still be detected or blocked by other defensive systems within the network.  These could include:

• Network segmentation to prevent horizontal spread within the network
• Microsoft Windows Attack Surface Reduction is a feature of Microsoft Defender ATP which can limit at the Operating System level, features which are abused such as running obfuscated script or MS Office applications spawning child processes.
• A NexGen Firewall may be able to block the source IP or domains where malicious scripts are being downloaded from if it receives intelligence from the vendor to automatically updates its rules
• Third party endpoint protection software may also help detect the download and attempted execution of malware delivered by HTML Smuggling techniques to users PC.
• The malware dropped onto the target system may need to be invoked by the user, in which case Security Awareness Training will help staff spot the attempts to trick them into assisting the malware.