Giter Club home page Giter Club logo

file-smuggling's Introduction

Demo:- https://file-smuggling.netlify.app/

HTML smuggling is not an evil, it can be useful

File Smuggling Builder

This is a self-contained HTML app, handy, supports Windows, Mac, Linux and mobile.

It adopts HTML smuggling technique, leverages HTML5 and JavaScript to embed encoded file into HTML file, when user runs the JavaScript code in browser, it decodes the embedded payload, which, in turn, assembles the target file on the destination device.

You can convert your file to HTML encoded format, with password protected, then use it as email attachment or file download from web.

Download filesmugglingbuilder.html from this repository or try it online

Example

1a. Choose target file putty.exe, then generate putty.exe.html

1b. Open putty.exe.html, then retrieve putty.exe
Download putty.exe.html from this repository or try it online

(password is password)

2a. Choose target file Sample Document.docx, then generate Sample Document.docx.html

2b. Open Sample Document.docx.html, then retrieve Sample Document.docx
Download Sample Document.docx.html from this repository or try it online

https://github.com/gauravzack12/File-Smuggling (password is password)

HTML Smuggling Tachnique

Use of JavaScript Blob

When working with Javascript, the file can be created by using a Javascript Blob. A Blob is a representation of payload.

  var bobject = new Blob([payload], {type: 'octet/stream'});
Using the URL.createObjectURL

It invoking the click action from within the Javascript, we mimic the user clicking on the link and starting the file download

  var hiddenobject = document.createElement('a');
  var url = window.URL.createObjectURL(bobject);
  hiddenobject.href = url;
  hiddenobject.download = targetfilename;
  hiddenobject.click();

Due to encoded patterns, no original file content passes through the network, bypassing email scanners, proxies and sandboxes.

As security admin, if you don't want user to bypass, you may fine tune the dection rule based on it's characteristics or simply block HTML file.

Reference

https://attack.mitre.org/techniques/T1027/006/

#html smuggling #payload #javascript #pentest #poc #html #smuggling #tool

file-smuggling's People

Contributors

gauravzack12 avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.