Summary
HTML smuggling is a delivery technique adversaries use to develop the malicious payload programmatically by leveraging legitimate HTML5 and JavaScript features rather than executing an HTTP request to fetch a malicious payload from the C2 server.
HTTP smuggling is not new buzz word
HTTP request smuggling was initially coined in the year 2005 by Watchfire (Acquired by IBM).
It works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the webserver.
HTTP Request Smuggling enables various attacks like web cache poisoning, session hijacking, cross-site scripting, and most importantly, the ability to bypass web application firewall protection. It sends multiple specially-crafted HTTP requests that cause the two attacked entities to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.
In the web cache poisoning attack, this smuggled request will trick the cache server into unintentionally associating a URL to another URL’s page (content), and caching this content for the URL. In the web application firewall attack, the smuggled request can be a worm (like Nimda or CodeRed) or buffer overflow attack targeting the webserver. Finally, because HTTP Request Smuggling enables the attacker to insert or sneak a request into the flow, it allows the attacker to manipulate the web server’s request/response sequencing which can allow for credential hijacking and other malicious outcomes.
Recent Attacks
HTML smuggling has been recently used in banking malware campaigns, notably attacks attributed to,
- DEV-0238 (also known as Mekotio)
- DEV-0253 (also known as Ousaban)
Targeted Countries: Brazil, Mexico, Spain, Peru, and Portugal.
Technical Analysis
This technical analysis provides information on TTP obtained from my own research and observations, as well as from trusted third-party sources.
I’ve broken down the attack into Table 1, by the MITRE ATT&CK framework, to help detection and response teams easily incorporate these tactics, techniques, and procedures (TTP) into their frameworks.
| Tactic | Technique | Procedure |
| Initial Access [TA0001] | Phishing [T1566] | Attackers leverage HTML Smuggling using both email attachments and web drive-by downloads using phishing emails and webpages. |
| Execution [TA0002] | User Execution [T1204] | The JavaScript code is create an element “a,” setting the HREF to the blob and programmatically clicking it to trigger the download to the endpoint. Once the payload is downloaded to the endpoint, the user must open it to execute the malicious code. |
| Persistence [TA0003] | Boot or Logon Autostart Execution [T1547] | Attackers configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
| Defense Evasion [TA0005] | Trusted Developer Utilities Proxy Execution [T1127] | Attackers take advantage of trusted developer utilities to proxy the execution of malicious payloads. There are many utilities used for software development-related tasks that can be used to execute code in various forms to assist in the development, debugging, and reverse engineering. |
| Command and Control [TA0011] | Application Layer Protocol [T1071] | Attackers communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. |
Mitigations
- User Training [M1017]
- Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
- Restrict Web-Based Content [M1021]
- Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.
- Limit Software Installation [M1033]
- Block users or groups from installing unapproved software.
- Restrict Library Loading [M1044]
- Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.
- Execution Prevention [M1038]
- Block execution of code on a system through application control, and/or script blocking.
- Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Encrypt Sensitive Information [M1041]
- Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.
Are you a victim?
Victims of HTTP smuggling should report it immediately to the Computer Emergency Response Team (CERT) of your country. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; the number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Defending against the wide range of threats that use HTML smuggling
HTML smuggling proffers challenges to conventional security solutions. Protecting against this highly evasive technique needs true defense in depth. It is always better to prevent an attack early in the attack chain.
Feel free to contact me here. I will help your businesses easily meet regulatory compliance using a Data Privacy Manager architecture consisting of key management, encryption, and data spoofing. Don’t risk your organization’s success by not properly protecting your data.
Comments