How Attackers Are Evading Security Tools With This Simple Yet Clever Trick!

In 2006, a terrorist gang plotted to blow up transatlantic aircraft using liquid explosives. But they had one challenge: Carrying the explosives directly would trigger baggage security scanners.

What they came up with was disturbingly brilliant:

To carry harmless liquids 'separately' in common beverage bottles, bypass the scanners, and then later mix them mid-flight to create an explosive cocktail!

Thankfully this was prevented as security agencies had been monitoring the suspects for months.

(Trivia: The plot's discovery led to the ban on carrying liquids over 100ml in hand luggage which stands even today).

This story came back to me looking at an attack that is widely being used in digital world for evasion: HTML Smuggling Attack.

This week, lets look at how HTML Smuggling attack works and countermeasures.

---

Attack Flow:

1. The attacker creates malicious.exe file > Converts it into a different data format (say base64) > Breaks it into smaller chunks.
   

2. The attacker now assigns the broken chunks into different variables in JavaScript > Hosts this JS file on a website > Sends the link to victim over an email.
   

3. Victim visits the site > JavaScript now assembles all the chunks in blob locally > Decodes the base64 encoded payload > Malicious.exe is now ready > Gets downloaded on to the disk.

4. Here's the key part: When the firewall scans it, it sees only HTML & JS being transferred (not malicious.exe file). But when the webpage is rendered in the browser, malicious.exe is assembled and downloaded to the endpoint > Mission accomplished for the attacker!

   ---

Key Insights:

1. This whole thing works because of JavaScript Blobs. A JavaScript Blob stores the encoded data of a file and it can be decoded later by passing it on to a JavaScript API. This enables the scenario where the file can be automatically downloaded and constructed locally on the device using JavaScript.
   

2. HTML Smuggling is highly evasive because it could bypass standard perimeter security controls (web proxies, email gateways, firewalls) that often only check for suspicious attachments (exe, zip) or traffic based on signatures.}
   

3. Attackers use HTML smuggling in largely two ways: 1) the link to an HTML smuggling page is included within the email 2) the page itself is included as an attachment.
   

4. Leverage CDR (Content Disarm and Reconstruction) that removes active content from files, leaving only safe, static elements. It's a good defense against HTML smuggling, but it has limitations, such as handling encrypted content. Used in multiple email security solutions.
   

5. Use a group policy object (GPO) to make sure commonly abused files, like .html and .hta, open in a text editor like Notepad by default rather than a browser. This reduces the risk of accidental execution.
   

6. Review browser settings and remove unnecessary features/plugins that could be exploited for HTML smuggling.

Just like the liquid bomb plot exposed vulnerabilities in airport security, HTML Smuggling reveals how attackers constantly find new ways to bypass defenses. Stay Secure.