what's sad is a feature like this, not EXACTLY the same, would be great for certain types of legitimate web apps. but here we have what will both become an argument AGAINST such, and probably cause some real damages along the way. in practice, deploying a malicious flash payload would have been way harder than it is in theory. as long as it's not through a shady website or perhaps an ad service. but, those are both inherently dangerous/untrustworthy, so bad argument. this, is easy in theory AND practice... you really have to wonder what the W3C and browser vendors are actually thinking with this one... at least windows and ...edge... offer some layer of defense, SOME... this is why i won't get myself involved in infosec, despite many advising me such cuz job security and the usual non-reasons.
The fact that you have such broad knowledge in this industry and remain so humble, while explaining these things to less experienced people like me is a skill in itself. Your uploads are the highlight of my day. Thank you
Just wanna say that I appreciate how you zoom everything in to make things easier to see! A lot of videos miss that and turn watching the video into a big hassle, especially for people on mobile. Thank you!
fyi, there's a Chrome setting "Ask where to save each file before downloading" which will pop up a file dialog for each download before it actually gets saved out. I like it because I usually want to download to somewhere other than my downloads folder, but it also provides an additional click needed for when a random site tries a drive-by download
@MrKnowsItAll i had a virus automatically download and atomically run.... after getting automatically redirected. no time to delete it in the second it took to run
I found this fascinating. There have been times when I have asked acquaintances to test run executables I was working on (hobbyist, nothing malicious.) But e-mail servers don't like executable files as attachments. For a while, I could just change the extension and ask them to change it back. But then e-mail providers started detecting what might be disguised executables.
basically, the browser should by design block intrusive downloads, by not allowing it to download without some sort of user interaction, but much like the fullscreen request and audio and video auto playing it can be bypassed by calling the click function on an anchor element
I've noticed also downloads files automatically when it's a filetype you can't render in the browser. Never thought much about it, but it can be used for the same purpose I guess...
Quick tip: VSCode has a really good extension called Live Server. You won't need to deploy a separate py server anymore for simple tasks like serving static pages.
HTML Smuggling is a fun technique. We saw a bunch of XLL and DOCM encoded files when this first come out, but now we see container files like ISO since it does not propagate Mark of the Web ADS.
Base 64 encode a zip with a hidden copy of Windows 7 calc and a malicious copy of one of its dlls both hidden and make a shortcut with a doc icon that points to calc. It's trusted on Windows vulnerable to dll side loading and won't have the motw if it's zipped
No, it's the same as sending you a URL to an exe file. Your browser might automatically download it if you configured it this way but it won't execute it. And who would run an executable they didn't ask for? You get tons of those by email anyway...
@@mestari6289 notepad, vscode, sublime text etc are called text editors. They can edit any human readable text file ofcourse. I recommend that you try a more powerful text editor like vscode you will thank me
I love that you briefly showed Googling something, landing on MDN (frontend bible)! I've been doing web development for 15+ years, and that's always my go-to move to learn something I don't understand!
love your videos John, a fun trick I saw recently, when you pipe your output with ''| clip'' you send it directly to clipboard ready to be pasted somewhere else. you make learning about cybersecurity fun, stay awesome.
The number of companies that force a download when you open a link is interesting - most browsers appear to allow another tab/window to open briefly to start a download and then close. It wouldn't be hard to make the file invoice.pdf.scr or something and most people would have a look.
I'm pretty sure I've heard of something similar being done with hover-over triggers. Of course, it's not perfectly drive-by, but regular in its maliciousness that you can simply bring your cursor _over_ an ad and it automatically fires a redirect or download event. I was sort-of expecting that to be in the discussion here, but the anchor functionality is also pretty nifty. (also, doesn't matter because Jscript, but missing semi-colons on lines 15 and 32)
I think it was a good attempt at trying to figure out a way of doing a a automated download, but to be realistic, doing it through a hosted site and seeing if it would work would be more convincing.
2:23 Did you know that in VSCode you can just type "html:5" and press enter to automatically populate your document with the boilerplate HTML you will edit later on?
.click() works on / before page load??? Without interaction? 🤔 That's amazing! It means you can put a "download" button _inside_ a WebVR interface. The file can save without the user having to leave VR / re-enter. 😀
awesome video! I been working on setting up auto download for pdf files for a client on the web. nothing payload wise but I am always trying to expand my JavaScript knowledge
one reason is because that way the file is self contained in the html and doesn't need hosting. There are a lot of ways to do the same thing, I think we all understand that, doesn't need extra discussion.
@@HyBlock The html still needs to be hosted, and having the entire file embedded takes roughly the same amount of storage space anyways. Sure there are a lot of ways, but why not just pick the easiest? 😁
Tried this on multiple browsers and the extension ".download" is always appended, not fully convinced it isn't a mistake on my part somewhere however - great videos as always. I love that .lnk files can be used to exflirtrate NTLM hashes even just by looking at the Downloads folder (not even opening the file), so auto-downloading that file could result in the NTLM hash being sent to the attacker if a user even visits the Downloads folder to delete the file. Food for thought :D
you can probably even use fetch api to fetch the files asynchronously after page load. they even have the res.blob() method to directly get the blob form.
I used to have alot of fun crafting hta's, or HyperText Applications back in the day. I wonder if those are still viable options. ... and as soon as i unpause, youo've tested hta. good times 😄
@@casualamber not an exploit either. it's just standard browser behavior. other sites deploy the exact same thing for legitimate files, it would be considered a "hack" or "exploit" if it automatically ran the downloaded file.
yep, but this exact method is, extremely dangerous and setting a very bad example. they clearly were not thinking when this was implemented. [alternatively, they WERE thinking since this is another excuse to strip users/developers of tools/control because "it's dangerous". then they can force us to use their specific services and walled garden BS]
@@ETXAlienRobot201 The good uses far outweighs the bad. There are a number of websites that provide a GUI for generating data packs for Minecraft. If it can be generated in JavaScript, the server doesn't have to do any work. There are a number of websites that allow you to generate or edit images client-side. again the server doesn't have to do any of the work. However, if this scripting feature was removed, those sites are still going to exist but they will end up doing all of the work server-side and less of those sites are going to exist because server-side processing isn't possible on some sites. On GameFAQs, The Download button was removed. With a bit of client-side scripting, I added the Download button back. If for some reason, someone isn't allowed to download and run the "Floating IPS" software to patch a file, there is a website that can do the same task and the web server never receives any files.
@@nanopi that's actually a *really* bad example. you automatically generate the content and you open a download file prompt. problem solved. as for load on the server on a generator, the mechanism for downloading the content doesn't matter all that much. what matters is how much the server has to send over for the generator to even load. again, there is a dedicated mechanism, the save file promt, to actually write the data to disk. so, the question is how big are any base/stock assets, the script files, and how many of them are there? THAT is where your server load comes from. however, on that note, generating the content in-browser may not be feasible. and an awful lot of the websites which in some way generate content in fact use the server, servers are BUILT for that kind of work, actually. should take a look, especially at enterprise-grade IMB mainframes, and good chance a lot of the public servers [actual physical machines, most webmasters don't touch them directly] are running on something like that. it could generate/transmit GBs if not TBs of minecraft resource packs without breaking a sweat.
@@ETXAlienRobot201 One thing I should clarify is that currently I can click a button on the page to download a file and not have to click a second time to save the file. The examples I gave earlier won't start a download until a button is clicked. Also, I do agree that it is very weird to get a download when I'm just visiting a website. MEGA has an interesting use case. They don't want the ability to do file decryption on the server. If they had the ability to do decryption on the server, then they have access to unencrypted file content. using click() on the anchor element is the part that starts the download. Is this the only thing you think is bad? I would make it so that there is a distinction between "when the page loads" and "the user manually clicked a button on the page" and then have the ability to choose different behaviours in the browser settings. It takes an inordinate amount of time to open the "save as" window. I'd rather just go and cancel or delete downloads I don't want. It's also incredibly rare that any site I go to tries to surprise me with a random download.
@@nanopi right, know of some of those... exactly mega. yeh... they by design do not want to store the keys. they learned from the complete BS illegal shutdown of mega upload. iirc, they still don't passively download files. at least, they don't write them to disk. they passively download + decrypt the file in memory and then invoke a download prompt. if you ever use the website, watch the memory usage of the browser, it increases as the entire file loads into memory. it's not a matter of thinking, it's flat-out bad. especially combined with browsers just downloading files to the downloads folder. if you want to automatically click something, you would use an auto-clicker generally. and that's at the user's discretion, typically for either click farms or cheating idler games. the save as window should not take a long time unless the whole computer is running slow. [admittedly common these days, especially on windows] also, what if the site passively downloads a multi-GB sized file? that takes space on your main drive. and sure, you can delete it, but that operation isn't free, either. especially after doing it so many times creates disk fragmentation. and this is where filesystem operations will start to significantly slow a computer down. [unlike the misconception many icons on the desktop does]
interesting that line 15 in your script function didn’t have a semi-colon at all, yet it still works unimpeded. i was expecting an error message or alert. but, i suppose javascript in html is more forgiving in some ways.
@@n.i.g.e.l Yeah, although in this case it wouldn't make any difference to use those because they aren't in a function so they'll always be in the global scope.
Yeah, semicolons are not strictly necessary in JS. There are some cases where they make a difference though: for example when defining a self-invoking function right after another ordinary function, without a semicolon or brackets it can be interpreted as passing an argument instead. I recommend reading JavaScript Garden if you want to be aware of these language quirks, if you're like me you'll find it very interesting.
I had an experience of an attack that used base64 as payload to obfuscate the payload making it very difficult to figure out where it was coming from. Good times lol
The trick would be to have it download a legit commonly downloaded file which bypasses smart screen then strip the MoTW just before it attempts to run. Preferrably pick a file with known exploits; trigger said exploit; pwned.
You could probably do this without JavaScript as well. You could likely use the base64 in a data: url inside of an tag and it would likely have similar results. Haven't tested it, but it should work in theory.
I'm pretty sure that the Download would not start in an IFrame. Downloads in Iframes are usually blocked by browsers if they are not caused by direct user interaction (click on link or button). Making JavaScript click a button does not mark it as user interaction. Honestly I would've expected the same to be applied to regular Downloads outside of Iframes aswell but for latter I know that it's implemented at least in Chrome and FF.
@@dohe7716 Downloads from s are not blocked by firefox, IE or chrome. If you src the link to the download it will just instantly download it, because this doesn't become possible because of the execution (click anchor, binary->base64 conversion, etc are all pointless), it becomes possible because modern browsers by default download everything a site serves them, regardless of how it is served and with no interaction required by default. You can install those browsers in a VM to check out the default behavior. When Firefox recently added this "feature" I've pointed this out as an issue too and was promptly shut down because apparently the benefit of people being able to have their files instantly downloaded to their local user downloads folder outweighs the potential abuse. Attached was a PoC to a site that just served you thousands of s to downloads, resulting in the browser freezing up (and eventually crashing) as it littered thousands of pre-allocated parts on the drive, maxing it out and requiring you to manually delete them to free up the space as it would not clean up after such a crash.
The .buffer method of the typed array at 9:05 , if i am not wrong, is it a sort of a way of returning the typed array values, can we not just return the "bytes_data" typed array?
Good video :) I'm curious though, is there a benefit to this approach of making the blog as opposed to just having the anchor that you click with JS just point to a regularly hosted file on a server somewhere?
For non-malicious binaries? There is no advantage at all unless you decrypt on browser, like Mega does, it downloads the encrypted version from their service, then uses the decryption key from the url (which is right after the #, because is not passed to the server in the request) to decrypt the content and put it into a Blob then make the browser download it, this way Mega never keeps the decrypted version of the file neither its decrypted content ever touches their server, they learned this after being sued by keeping pirated content on their site for download. Now even if their servers are taken by law enforcement, they can't decrypt the content without the user password, so they can't prove that there is piracy stored there. But that's another story, apart from this kind of strategy of data storage, there's no other advantage than malicious applications.
Blob is such a strange word... it's like Bob but slightly different... My mind is going like "Here we have some data - let's give it a name and call it BLOB."
At 7:20 or so you say "decoding with atob() returns a big list" did you misspoke or am i misunderstanding something? atob() returns a string, no? Also the 3 lines that deal with decoding are SUPER confusing for a relative newcomer like me , hehe. If someone could explain in a more approachable way what each line does - i'd appreciate.
I never click on popups. As a web developer I don't use popups. There are plenty of ways to inform your user modally of information without resorting to an OS specific approach (which is what pop ups are). That being said, the other day I was looking for something and I was using Google instead of Duck Duck Go. Google just doesn't care anymore, and sometimes even nefarious sites are recommended first. Well I was looking for something and this one page popped up a window. I was in total autopilot mode since I was doing some local development at the time, and I just clicked to dismiss. The next thing I know it's trying to install an extension in Chrome and it's downloading files - which popped up since I have a setting in Chrome to do so whenever it tries to download a file. The problem is if that extension had gotten installed I would have probably been in a world of hurt. Extensions don't live in a sandbox like javascript does in your browser. I don't allow extensions to be installed, so I was covered, but not everyone does that.
Mr. Hammond, how many different programming languages do you know man? Which is your favorite? I know there’s better uses for each specific language, like for web development TS and JS, for game dev C#, etc. but generally speaking, which is your favorite to write? I’m in web dev / crypto web dev so my fav is TypeScript. Just curious as to what your fav is. Thanks in advance you cute, amazing, smart, handsome, brilliant, well spoken, intriguing, mystifying, confident, hard-working, sexy individual.
What I am looking for, is to have a Button -- in which if the user clicks the button, a file should download. This should be a frontend file download without a server or backend. How do I achieve this?
const download = (name, file) => {let e=document.createElement('a');[['download', name], ['href', file]].map(i => e.setAttribute(i[0],i[1]));e.click()} you can also do something like this if the file is on the internet (code by me)
You said like, comment, subscribe so quickly that I heard unsubscribe and I was like HOLD UP and rewinded but I heard it correctly so yeah, but yeah cool vid
Pretty interesting. I think a dll would be the most dangerous extension. You could replicate a common dll so you don't have to wait for someone to run your sketch program, but instead wait for them to run something else that calls that dll.
@@Sammysapphira Windows actually searches the directory of the application executable for DLLs first, it only looks in the system directory if the DLL after this.
@@Sevicify Windows searches in KnownDLLs list first (this usually contains all the system library names) and then uses the usual search path if not found, so you have to be lucky and try to replicate some other common non system dll.
@@bamberghh1691 Yes I know about the KnownList, like you said it usually contains system libraries but it doesn't contain all of them. For example it doesn't list mswsock, bcrypt, MSVC runtimes (aside from MSVCRT) and DirectX libraries all of which get commonly used in various programs. So it really isn't hard to find a common library many programs use, system or otherwise.
@@Sevicify wow, thanks for the answer, didn't know there were so many system libraries that weren't in KnownDLLs. Then this is entirely possible, since it's not rare that you need to run some previously downloaded program in the download folder! Though i still don't know why browsers allow that download to happen without user interaction in the first place, is that even supposed to happen or just a bug?
when i hear "Drive by download" i think of those old java or flash based exploits that would download *and execute* a file by just visiting a page, but this just downloads so.
yep. but then you'll be tearing out your hair trying to do something useful/practical. it feels intentional at this point. we already know manifest V3 is not for our benefit, it's to kill adblockers and similar. and i saw it coming back when they targeted the NPAPI plugins. sooner or later, extensions would be targeted for disrupting the corporate attempts at controlling our user experience, tracking our every move, and shoving advertisements in our face. i imagine the argument when THIS feature blows-up will be "you can't automatically save/stream files because bad people , here's a new API/service that WE control, which means it's both secure and stable because we're reputable"
I went deep down this blackhole a while back. Many times you don't even need the javascript voodoo to force an unprompted download, you can just do it by redirecting/force clicking links to the binaries that are returned with funky mimetypes and the browser will be happy to download it for you!
Actually, an exe will execute perfectly fine with a bat extension despite not being a windows batch file at all, though I'm pretty sure smart screen would still catch it. There are quite a few extension you can give an exe and have it still execute. I believe com will work, but my favorite is scr, which is the screensaver file format. Edit: I commented too early. I see you are also aware of the scr extension.
and the very nature of how this process is carried-out, leads to exactly that outcome. many users will click, a good chunk of those will override the security warnings. being able to do something like this is so ass-backwards i have to wonder if it was intentionally designed to work this way. create a security/privacy scandal to justify stripping users/developers of another tool. just how manifest v3 is being executed, "for your security/convenience!" , but what they really mean "is for our control/dominion/profits"
0:25 jesus christ yeah I never thought about that. Whenever a website automatically starts downloading a file with a pop up like that, we really don't question it as much as when we press the button ourselves do we?
I've only encountered sutomatic downloads with direct file links (to things I did intend to download) but haven't seen the malicious version of this before. Didn't even know people DID that
I get the error Unit8Array is not defined on brave firefox and google chrome across both linux and windows and the suggested fix is to change your browsers config which you couldn't really get a victim to do. any tips?
scary things like that is why you should get the extension "NoScipt" as it'll block all javascripts on websites you visit until you specifically allow the javascript to run
@@LetrixAR that is true but you have to remember the Folina exploit there even if the JS script can bypass you accepting or not as soon as you try to delete the file it's already too late that malware file executes as soon as you open the folder it's in in this case user/downloads so that is why preventing something from being downloaded onto your pc is essential in my eyes My point is use noscript to protect yourself from malware like "Folina" Edit: it wasn't Folina that executed without being clicked i know i saw a video about malware executing as soon as you enter the directory the malicious file is in i can't remember what it was called
Oddly, doesn't work in my browser. Dunno why, but I prefer it that way. Now going to try if this can be uses to fill a user's HD with junk... as browsers tend to allow compressed streams, should be possible to transfer a huge file full of NULL in a second or less.
Using “var” is bad practice because it creates a global variable. It’s best to use “const” for constant variables or “let” for variables that may change.
@@norsie45 var is function scoped and hoisted which can be confusing and lead to tons of easy to miss bugs. let is block scoped and not hoisted. Hoisted basically means that the compiler treats var defined variables as "global" to that function scope so you are able to use the variable before it's actually declared/init. The value would be undefined. Generally you want to default to using const and only use let if you need to change the variable later.
I'm surprised that the click function works without any actual user interaction. I kind of expected it to be like autoplay where it'll not do anything until you've actually interacted with the page. A couple notes, since there are a few legitimate purposes for using code like this. This will work with any href - including an actual URL - so you don't actually need to go through the whole converting to a blob stuff, and it'll still obey the name provided by the download attribute. You could even use a data URI and work with the base 64 string directly (unless converting to a blob has some advantage that wasn't explained?) Also, an alternate method to using the click function is using dispatchEvent, though this won't work in IE. I'm pretty sure the actual mimetype is application/octet-stream, not octet/stream, but it happens to work anyway. You can also download multiple files at once this way, and Chrome handles it by prompting if you want to download that many files at once, so it's very useful for batch downloads which can't be accomplished with HTML alone. I think Firefox pops up a Save As dialog for every file though, so this trick might not be as effective there just in general (have not tested in a recent version.) Finally, I'm pretty sure you could accomplish the same by using PHP to change the Content-Disposition header then just embed the file in a hidden . The downside being you couldn't customize the filename like with the download attribute and it requires writing code on the server side.
I'm pretty sure chrome had mitigations against this sort of attack when used with arbitrary URLs from the old popup ads / redirect to pdf/swf bullshit that drive by exploits were using. It really surprises me that it was possible using blobs and objects.
@@HonestAuntyElle Maybe you are thinking of Popunder - that's different, it's just a popup that appears underneath other windows. If something as simple as the download attribute isn't intended to be automatically clickable, I'm certain that would've been patched by Chrome a long time ago.
fancy seeing you here! yes, there are some legitimate uses for this behavior, albeit with a few more restrictions/safeguards. i just ... *facepalm* seeing stuff like this. i think back to all the "this is how dangerous flash is!" [despite never allowing such an easy drive-by] yet with javascript, they'll implement *extremely* exploitable features without the slightest of hesitation. and then they'll later ban/restrict the feature to the point of being useless when it gets exploited too easily. as i understand, firefox and anything based around firefox are stuck in the world of needing to click "yes" every time. one of my current projects is inching close to this becoming an issue. just a few more features to refine or implement and then i need to handle the saving of user data.
@@ETXAlienRobot201 IMO this isn't really as big of a deal as people in the comments make it out to be, since the file is only downloaded and not opened - there's no way to forcefully open the file. On the other hand, I can see how this could be abused if you could trick someone less tech savvy into thinking the downloaded file is just an ordinary button in the interface or something you have to click on to accomplish something. And like I said, I'm surprised it doesn't follow the same policy as pop-ups or autoplay where you need to interact with the page first before it's allowed, which I think would be reasonable for this.
Nice clear explanation. Thanks.
I see the cogs of future videos turning here
thank you jim! ♥
The og is learning too
The Legend.
Two of my favourite UA-camrs in one spot. Nice
I like how browsers need the user to interact to play audio but not download files
what's sad is a feature like this, not EXACTLY the same, would be great for certain types of legitimate web apps. but here we have what will both become an argument AGAINST such, and probably cause some real damages along the way. in practice, deploying a malicious flash payload would have been way harder than it is in theory. as long as it's not through a shady website or perhaps an ad service. but, those are both inherently dangerous/untrustworthy, so bad argument. this, is easy in theory AND practice...
you really have to wonder what the W3C and browser vendors are actually thinking with this one... at least windows and ...edge... offer some layer of defense, SOME... this is why i won't get myself involved in infosec, despite many advising me such cuz job security and the usual non-reasons.
Well, as long as the user needs to interact to _run_ those files, it's safe (ish).
I mean at least it'll ask to "Keep" if it thinks it's suspicious.
actually you can use the same trick to auto play audio files and turn to fullscreen...
inb4 it plays something trick up a ai assistant
and either makes it open a website or somehow leaks something important from a user
The fact that you have such broad knowledge in this industry and remain so humble, while explaining these things to less experienced people like me is a skill in itself. Your uploads are the highlight of my day. Thank you
Just wanna say that I appreciate how you zoom everything in to make things easier to see! A lot of videos miss that and turn watching the video into a big hassle, especially for people on mobile. Thank you!
fyi, there's a Chrome setting "Ask where to save each file before downloading" which will pop up a file dialog for each download before it actually gets saved out. I like it because I usually want to download to somewhere other than my downloads folder, but it also provides an additional click needed for when a random site tries a drive-by download
Been using this for years as well for both reasons.
I don't use chrome but I do have that option in another browser. It's a good advice to always check what you're downloading just to be safe.
I'm sure you meant "save to", not "download to", as the act of downloading is transferring FROM something, not TO it.
@@eric_d My mistake, but yeah, anything sketchy take it with a grain of salt.
I though only lay and old people saved directly on "downloads" folder... :s
Accidently clicking a sketchy search result, then seeing something random automatically downloading is kinda scary.
It's even scarier when that file automatically downloads and then automatically opens 🤣
@MrKnowsItAll No, some automatically open
@MrKnowsItAll i had a virus automatically download and atomically run.... after getting automatically redirected. no time to delete it in the second it took to run
@@oscarchampion5842 Oof
@@oscarchampion5842 : ever seen the one where a thousand tabs open up with redirects to freeze your machine up so you can stop background process
I found this fascinating. There have been times when I have asked acquaintances to test run executables I was working on (hobbyist, nothing malicious.) But e-mail servers don't like executable files as attachments. For a while, I could just change the extension and ask them to change it back. But then e-mail providers started detecting what might be disguised executables.
basically, the browser should by design block intrusive downloads, by not allowing it to download without some sort of user interaction, but much like the fullscreen request and audio and video auto playing it can be bypassed by calling the click function on an anchor element
I've noticed also downloads files automatically when it's a filetype you can't render in the browser. Never thought much about it, but it can be used for the same purpose I guess...
Quick tip: VSCode has a really good extension called Live Server. You won't need to deploy a separate py server anymore for simple tasks like serving static pages.
Is vscode utilizing the live-server npm package under the hood?
@@EIP674 hmm never explored the internal workings
HTML Smuggling is a fun technique. We saw a bunch of XLL and DOCM encoded files when this first come out, but now we see container files like ISO since it does not propagate Mark of the Web ADS.
This is insane. This is awesome. Definitely could see this in spear phishing / social engineering attempts.
Base 64 encode a zip with a hidden copy of Windows 7 calc and a malicious copy of one of its dlls both hidden and make a shortcut with a doc icon that points to calc. It's trusted on Windows vulnerable to dll side loading and won't have the motw if it's zipped
No, it's the same as sending you a URL to an exe file. Your browser might automatically download it if you configured it this way but it won't execute it. And who would run an executable they didn't ask for? You get tons of those by email anyway...
wow, i just learned more in 21 minutes than the last year i poked around in notepad++. finally a youtuber with some substance! awesome.
Notepad is just a text editor though. What did you poke around in? The notepad settings? 😂😂😂
@@TerminalHeatSink you can create any file with it not just .txt
@@TerminalHeatSink dude, notepad++ is a source code editor. i didn't say anything about notepad.
@@mestari6289 notepad, vscode, sublime text etc are called text editors. They can edit any human readable text file ofcourse.
I recommend that you try a more powerful text editor like vscode you will thank me
I love that you briefly showed Googling something, landing on MDN (frontend bible)!
I've been doing web development for 15+ years, and that's always my go-to move to learn something I don't understand!
love your videos John,
a fun trick I saw recently, when you pipe your output with ''| clip'' you send it directly to clipboard ready to be pasted somewhere else.
you make learning about cybersecurity fun, stay awesome.
thank you for the great trick man
nice
Thank you for calling out the local file thing. You will actually have different permissions for a file served locally versus remotely.
Good tip: don't use atob (they deprecated it 1 of thé reasons was a Buffer Overflow.) Replace var with const/ let
Yeah my programming teacher also told to use let instead of var because if I remember correctly let is not global unlike var
@@ancestrall794 var is function-scoped, let is {}-scoped.
The number of companies that force a download when you open a link is interesting - most browsers appear to allow another tab/window to open briefly to start a download and then close. It wouldn't be hard to make the file invoice.pdf.scr or something and most people would have a look.
Everyone’s calling out the JavaScript 😂
Great video though! Thanks for all the resources and education you put out John.
I'm pretty sure I've heard of something similar being done with hover-over triggers. Of course, it's not perfectly drive-by, but regular in its maliciousness that you can simply bring your cursor _over_ an ad and it automatically fires a redirect or download event. I was sort-of expecting that to be in the discussion here, but the anchor functionality is also pretty nifty.
(also, doesn't matter because Jscript, but missing semi-colons on lines 15 and 32)
You got my respect when you pronounced .js as "JScript"
I think it was a good attempt at trying to figure out a way of doing a a automated download, but to be realistic, doing it through a hosted site and seeing if it would work would be more convincing.
You make everything look so easy! Its so satisfying to watch you fly around a screen doing all this stuff.
2:23 Did you know that in VSCode you can just type "html:5" and press enter to automatically populate your document with the boilerplate HTML you will edit later on?
or just "!"
I don't know why, but the notion of base64-ing a binary blew my mind as a method of payload transmission.
.click() works on / before page load??? Without interaction? 🤔
That's amazing! It means you can put a "download" button _inside_ a WebVR interface. The file can save without the user having to leave VR / re-enter. 😀
On of the Greatest online teachers of cyber-sec.
Thanks for the video. I really like how you incorporate the fast forward effect when looking for information.
love your hair color man. thank you for the video
Crazy. Now all I need is to somehow execute the file automatically as well.
awesome video! I been working on setting up auto download for pdf files for a client on the web. nothing payload wise but I am always trying to expand my JavaScript knowledge
Why do all of that base64 decoding when you could just host the file itself and point a url to it?
One more thing: you could create a link, and set its href to "data:application/octet-stream;base64,[BASE64]" replacing [BASE64] with your base64 data.
one reason is because that way the file is self contained in the html and doesn't need hosting. There are a lot of ways to do the same thing, I think we all understand that, doesn't need extra discussion.
@@HyBlock The html still needs to be hosted, and having the entire file embedded takes roughly the same amount of storage space anyways. Sure there are a lot of ways, but why not just pick the easiest? 😁
Thanks for sharing this knowledge. I've seen this in wild but now I know how to identify them. Great stuff!
Tried this on multiple browsers and the extension ".download" is always appended, not fully convinced it isn't a mistake on my part somewhere however - great videos as always. I love that .lnk files can be used to exflirtrate NTLM hashes even just by looking at the Downloads folder (not even opening the file), so auto-downloading that file could result in the NTLM hash being sent to the attacker if a user even visits the Downloads folder to delete the file. Food for thought :D
Same here! Have you tried to fix it?
Thank man now I know what used for
I have been wanting to know what is it for a really long time.
I can never be as confident with my Code as this man
Thanks! I've been searching how to get it and this is brilliant :D
Late, but Set-Clipboard is a lifesaver in PowerShell.
Very excited for this one, always wondered that lol
Hey John!! What about being a content creator for TCM ACADEMY??? Nice video!!!
This is going to be new for my targets. Thanks for your help ;)
OMG
this happened to me literally this week when I clicked on Facebook ad. Facebook is becoming so lame with there ads. 🤦
So, does this bypass the “where do you want to download this to” message?
This worked incredibly well! I can finally play it thanks
you can probably even use fetch api to fetch the files asynchronously after page load. they even have the res.blob() method to directly get the blob form.
Love these videos. Thank you john for teaching all of us how it's done. :)
I used to have alot of fun crafting hta's, or HyperText Applications back in the day. I wonder if those are still viable options. ... and as soon as i unpause, youo've tested hta. good times 😄
This type of hack is honestly the most terrifying to me
not really a hack, but more like an exploit
@@casualamber not an exploit either. it's just standard browser behavior. other sites deploy the exact same thing for legitimate files, it would be considered a "hack" or "exploit" if it automatically ran the downloaded file.
It doesn't run the file. There's nothing hack about it. Browsers have done this forever
It's harmless.
Actually really useful to generate file data in a web page and immediately download it.
yep, but this exact method is, extremely dangerous and setting a very bad example. they clearly were not thinking when this was implemented. [alternatively, they WERE thinking since this is another excuse to strip users/developers of tools/control because "it's dangerous". then they can force us to use their specific services and walled garden BS]
@@ETXAlienRobot201 The good uses far outweighs the bad.
There are a number of websites that provide a GUI for generating data packs for Minecraft. If it can be generated in JavaScript, the server doesn't have to do any work.
There are a number of websites that allow you to generate or edit images client-side. again the server doesn't have to do any of the work.
However, if this scripting feature was removed, those sites are still going to exist but they will end up doing all of the work server-side and less of those sites are going to exist because server-side processing isn't possible on some sites.
On GameFAQs, The Download button was removed. With a bit of client-side scripting, I added the Download button back.
If for some reason, someone isn't allowed to download and run the "Floating IPS" software to patch a file, there is a website that can do the same task and the web server never receives any files.
@@nanopi
that's actually a *really* bad example. you automatically generate the content and you open a download file prompt. problem solved.
as for load on the server on a generator, the mechanism for downloading the content doesn't matter all that much. what matters is how much the server has to send over for the generator to even load. again, there is a dedicated mechanism, the save file promt, to actually write the data to disk. so, the question is how big are any base/stock assets, the script files, and how many of them are there? THAT is where your server load comes from.
however, on that note, generating the content in-browser may not be feasible. and an awful lot of the websites which in some way generate content in fact use the server, servers are BUILT for that kind of work, actually. should take a look, especially at enterprise-grade IMB mainframes, and good chance a lot of the public servers [actual physical machines, most webmasters don't touch them directly] are running on something like that. it could generate/transmit GBs if not TBs of minecraft resource packs without breaking a sweat.
@@ETXAlienRobot201 One thing I should clarify is that currently I can click a button on the page to download a file and not have to click a second time to save the file. The examples I gave earlier won't start a download until a button is clicked.
Also, I do agree that it is very weird to get a download when I'm just visiting a website.
MEGA has an interesting use case. They don't want the ability to do file decryption on the server. If they had the ability to do decryption on the server, then they have access to unencrypted file content.
using click() on the anchor element is the part that starts the download. Is this the only thing you think is bad? I would make it so that there is a distinction between "when the page loads" and "the user manually clicked a button on the page" and then have the ability to choose different behaviours in the browser settings.
It takes an inordinate amount of time to open the "save as" window. I'd rather just go and cancel or delete downloads I don't want. It's also incredibly rare that any site I go to tries to surprise me with a random download.
@@nanopi
right, know of some of those...
exactly
mega. yeh... they by design do not want to store the keys. they learned from the complete BS illegal shutdown of mega upload. iirc, they still don't passively download files. at least, they don't write them to disk. they passively download + decrypt the file in memory and then invoke a download prompt. if you ever use the website, watch the memory usage of the browser, it increases as the entire file loads into memory.
it's not a matter of thinking, it's flat-out bad. especially combined with browsers just downloading files to the downloads folder. if you want to automatically click something, you would use an auto-clicker generally. and that's at the user's discretion, typically for either click farms or cheating idler games.
the save as window should not take a long time unless the whole computer is running slow. [admittedly common these days, especially on windows] also, what if the site passively downloads a multi-GB sized file? that takes space on your main drive. and sure, you can delete it, but that operation isn't free, either. especially after doing it so many times creates disk fragmentation. and this is where filesystem operations will start to significantly slow a computer down. [unlike the misconception many icons on the desktop does]
Working like charm !!!! thanks for sharing and keep up !!!
This has never happened, Chrome always asks where and if I want to download a file.
interesting that line 15 in your script function didn’t have a semi-colon at all, yet it still works unimpeded. i was expecting an error message or alert. but, i suppose javascript in html is more forgiving in some ways.
You'd be surpsied, also note how he didn't declare the first variables with let, var or const.
javascript is very forgiving, too forgiving maybe
I never use semicolons in JS (since ES6). It's really not needed outside very specific cases
@@n.i.g.e.l Yeah, although in this case it wouldn't make any difference to use those because they aren't in a function so they'll always be in the global scope.
Yeah, semicolons are not strictly necessary in JS. There are some cases where they make a difference though: for example when defining a self-invoking function right after another ordinary function, without a semicolon or brackets it can be interpreted as passing an argument instead. I recommend reading JavaScript Garden if you want to be aware of these language quirks, if you're like me you'll find it very interesting.
Thanks for the video John, Can the file be executed automatically, or is it just downloaded.
I had an experience of an attack that used base64 as payload to obfuscate the payload making it very difficult to figure out where it was coming from. Good times lol
The trick would be to have it download a legit commonly downloaded file which bypasses smart screen then strip the MoTW just before it attempts to run. Preferrably pick a file with known exploits; trigger said exploit; pwned.
As a full stack web developer, it hurt when you used 'var' instead of 'let' & didn't use 'const' when it was applicable.
you can clearly see that, he isn't a javascript programmer, he wrote i = 0 without let like the other languages
@@rednexie though, at least he knows how to get around js, even if he's writing it like it's 2014 (aka pre es6). (Ik I'm late, but hay)
You could probably do this without JavaScript as well. You could likely use the base64 in a data: url inside of an tag and it would likely have similar results. Haven't tested it, but it should work in theory.
I'm pretty sure that the Download would not start in an IFrame. Downloads in Iframes are usually blocked by browsers if they are not caused by direct user interaction (click on link or button). Making JavaScript click a button does not mark it as user interaction.
Honestly I would've expected the same to be applied to regular Downloads outside of Iframes aswell but for latter I know that it's implemented at least in Chrome and FF.
@@dohe7716 Downloads from s are not blocked by firefox, IE or chrome. If you src the link to the download it will just instantly download it, because this doesn't become possible because of the execution (click anchor, binary->base64 conversion, etc are all pointless), it becomes possible because modern browsers by default download everything a site serves them, regardless of how it is served and with no interaction required by default. You can install those browsers in a VM to check out the default behavior. When Firefox recently added this "feature" I've pointed this out as an issue too and was promptly shut down because apparently the benefit of people being able to have their files instantly downloaded to their local user downloads folder outweighs the potential abuse. Attached was a PoC to a site that just served you thousands of s to downloads, resulting in the browser freezing up (and eventually crashing) as it littered thousands of pre-allocated parts on the drive, maxing it out and requiring you to manually delete them to free up the space as it would not clean up after such a crash.
You really good at explaining thank you
"You don't normally just download .exe files off the internet."
Me downloading puppet combo games.. 😐
The .buffer method of the typed array at 9:05 , if i am not wrong, is it a sort of a way of returning the typed array values, can we not just return the "bytes_data" typed array?
Good video :) I'm curious though, is there a benefit to this approach of making the blog as opposed to just having the anchor that you click with JS just point to a regularly hosted file on a server somewhere?
For non-malicious binaries? There is no advantage at all unless you decrypt on browser, like Mega does, it downloads the encrypted version from their service, then uses the decryption key from the url (which is right after the #, because is not passed to the server in the request) to decrypt the content and put it into a Blob then make the browser download it, this way Mega never keeps the decrypted version of the file neither its decrypted content ever touches their server, they learned this after being sued by keeping pirated content on their site for download. Now even if their servers are taken by law enforcement, they can't decrypt the content without the user password, so they can't prove that there is piracy stored there.
But that's another story, apart from this kind of strategy of data storage, there's no other advantage than malicious applications.
Blob is such a strange word... it's like Bob but slightly different... My mind is going like "Here we have some data - let's give it a name and call it BLOB."
Thank you, it works perfect!
At 7:20 or so you say "decoding with atob() returns a big list" did you misspoke or am i misunderstanding something? atob() returns a string, no?
Also the 3 lines that deal with decoding are SUPER confusing for a relative newcomer like me , hehe. If someone could explain in a more approachable way what each line does - i'd appreciate.
You know, this technique could be used to distribute security patches.
I never click on popups. As a web developer I don't use popups. There are plenty of ways to inform your user modally of information without resorting to an OS specific approach (which is what pop ups are). That being said, the other day I was looking for something and I was using Google instead of Duck Duck Go. Google just doesn't care anymore, and sometimes even nefarious sites are recommended first. Well I was looking for something and this one page popped up a window. I was in total autopilot mode since I was doing some local development at the time, and I just clicked to dismiss. The next thing I know it's trying to install an extension in Chrome and it's downloading files - which popped up since I have a setting in Chrome to do so whenever it tries to download a file. The problem is if that extension had gotten installed I would have probably been in a world of hurt. Extensions don't live in a sandbox like javascript does in your browser. I don't allow extensions to be installed, so I was covered, but not everyone does that.
Hey John, what type of vitamin are you taking because man you are crazy smart.
Mr. Hammond, how many different programming languages do you know man? Which is your favorite? I know there’s better uses for each specific language, like for web development TS and JS, for game dev C#, etc. but generally speaking, which is your favorite to write? I’m in web dev / crypto web dev so my fav is TypeScript. Just curious as to what your fav is. Thanks in advance you cute, amazing, smart, handsome, brilliant, well spoken, intriguing, mystifying, confident, hard-working, sexy individual.
Quick question, Is it possible to hide the downloaded WindowsUpdater.exe and executing the calculator without the user being aware?
What I am looking for, is to have a Button -- in which if the user clicks the button, a file should download.
This should be a frontend file download without a server or backend.
How do I achieve this?
Great one, thank you!
9:06 what is this buffer property? couldn't find anything online
You do not have to append the anchor tag anywhere, it can just exist the code not on the actual document.
const download = (name, file) => {let e=document.createElement('a');[['download', name], ['href', file]].map(i => e.setAttribute(i[0],i[1]));e.click()}
you can also do something like this if the file is on the internet (code by me)
You said like, comment, subscribe so quickly that I heard unsubscribe and I was like HOLD UP and rewinded but I heard it correctly so yeah, but yeah cool vid
This helped a lot thank you
Thanks... it's working... Good Job...!
Pretty interesting. I think a dll would be the most dangerous extension. You could replicate a common dll so you don't have to wait for someone to run your sketch program, but instead wait for them to run something else that calls that dll.
Stuff that call dlls would only look in the folders they're supposed to be in like system32
@@Sammysapphira Windows actually searches the directory of the application executable for DLLs first, it only looks in the system directory if the DLL after this.
@@Sevicify Windows searches in KnownDLLs list first (this usually contains all the system library names) and then uses the usual search path if not found, so you have to be lucky and try to replicate some other common non system dll.
@@bamberghh1691 Yes I know about the KnownList, like you said it usually contains system libraries but it doesn't contain all of them. For example it doesn't list mswsock, bcrypt, MSVC runtimes (aside from MSVCRT) and DirectX libraries all of which get commonly used in various programs. So it really isn't hard to find a common library many programs use, system or otherwise.
@@Sevicify wow, thanks for the answer, didn't know there were so many system libraries that weren't in KnownDLLs. Then this is entirely possible, since it's not rare that you need to run some previously downloaded program in the download folder! Though i still don't know why browsers allow that download to happen without user interaction in the first place, is that even supposed to happen or just a bug?
when i hear "Drive by download" i think of those old java or flash based exploits that would download *and execute* a file by just visiting a page, but this just downloads so.
Javascript is kinda scary imo, I feel like if you master it you can do a looooot of unexpected stuff with it
yep. but then you'll be tearing out your hair trying to do something useful/practical. it feels intentional at this point. we already know manifest V3 is not for our benefit, it's to kill adblockers and similar. and i saw it coming back when they targeted the NPAPI plugins. sooner or later, extensions would be targeted for disrupting the corporate attempts at controlling our user experience, tracking our every move, and shoving advertisements in our face. i imagine the argument when THIS feature blows-up will be "you can't automatically save/stream files because bad people , here's a new API/service that WE control, which means it's both secure and stable because we're reputable"
why ? you can make with url of exe and self click with js . am i wrong?
I went deep down this blackhole a while back. Many times you don't even need the javascript voodoo to force an unprompted download, you can just do it by redirecting/force clicking links to the binaries that are returned with funky mimetypes and the browser will be happy to download it for you!
Actually, an exe will execute perfectly fine with a bat extension despite not being a windows batch file at all, though I'm pretty sure smart screen would still catch it. There are quite a few extension you can give an exe and have it still execute. I believe com will work, but my favorite is scr, which is the screensaver file format.
Edit:
I commented too early. I see you are also aware of the scr extension.
Nice video, but man... the screen resolution and font size are killing me :)
note, a file simply existing in your downloads folder will not do anything unless you make it do something
and the very nature of how this process is carried-out, leads to exactly that outcome. many users will click, a good chunk of those will override the security warnings. being able to do something like this is so ass-backwards i have to wonder if it was intentionally designed to work this way. create a security/privacy scandal to justify stripping users/developers of another tool. just how manifest v3 is being executed, "for your security/convenience!" , but what they really mean "is for our control/dominion/profits"
It's interesting to see how it can be done in javascript, but you don't even need javascript. Just add a hidden with a data URL:
0:25 jesus christ yeah I never thought about that. Whenever a website automatically starts downloading a file with a pop up like that, we really don't question it as much as when we press the button ourselves do we?
no because i didn't allow any website but everytime their website need to ask me everytime to enable 'allow download'
I've only encountered sutomatic downloads with direct file links (to things I did intend to download) but haven't seen the malicious version of this before. Didn't even know people DID that
I get the error Unit8Array is not defined on brave firefox and google chrome across both linux and windows and the suggested fix is to change your browsers config which you couldn't really get a victim to do. any tips?
That was a really cool video. Comment Dominator #16
scary things like that is why you should get the extension "NoScipt" as it'll block all javascripts on websites you visit until you specifically allow the javascript to run
I don't see anything scary in a file being (or trying to be) downloaded.
The browser and the OS already warn you if you want to proceed.
@@LetrixAR that is true but you have to remember the Folina exploit there even if the JS script can bypass you accepting or not as soon as you try to delete the file it's already too late that malware file executes as soon as you open the folder it's in in this case user/downloads so that is why preventing something from being downloaded onto your pc is essential in my eyes
My point is use noscript to protect yourself from malware like "Folina"
Edit: it wasn't Folina that executed without being clicked i know i saw a video about malware executing as soon as you enter the directory the malicious file is in i can't remember what it was called
Oddly, doesn't work in my browser. Dunno why, but I prefer it that way. Now going to try if this can be uses to fill a user's HD with junk... as browsers tend to allow compressed streams, should be possible to transfer a huge file full of NULL in a second or less.
the fact that John is using "var" kinda hurts me.
Lol I was about to say that. It hurts my web developer brain
why is that?
Using “var” is bad practice because it creates a global variable. It’s best to use “const” for constant variables or “let” for variables that may change.
@@norsie45 var is function scoped and hoisted which can be confusing and lead to tons of easy to miss bugs. let is block scoped and not hoisted.
Hoisted basically means that the compiler treats var defined variables as "global" to that function scope so you are able to use the variable before it's actually declared/init. The value would be undefined.
Generally you want to default to using const and only use let if you need to change the variable later.
Ikr, this ES5.5 monstrosity is terrifying
I'm surprised that the click function works without any actual user interaction. I kind of expected it to be like autoplay where it'll not do anything until you've actually interacted with the page.
A couple notes, since there are a few legitimate purposes for using code like this. This will work with any href - including an actual URL - so you don't actually need to go through the whole converting to a blob stuff, and it'll still obey the name provided by the download attribute. You could even use a data URI and work with the base 64 string directly (unless converting to a blob has some advantage that wasn't explained?) Also, an alternate method to using the click function is using dispatchEvent, though this won't work in IE.
I'm pretty sure the actual mimetype is application/octet-stream, not octet/stream, but it happens to work anyway.
You can also download multiple files at once this way, and Chrome handles it by prompting if you want to download that many files at once, so it's very useful for batch downloads which can't be accomplished with HTML alone. I think Firefox pops up a Save As dialog for every file though, so this trick might not be as effective there just in general (have not tested in a recent version.)
Finally, I'm pretty sure you could accomplish the same by using PHP to change the Content-Disposition header then just embed the file in a hidden . The downside being you couldn't customize the filename like with the download attribute and it requires writing code on the server side.
Of course the real teaching is in the comments
I'm pretty sure chrome had mitigations against this sort of attack when used with arbitrary URLs from the old popup ads / redirect to pdf/swf bullshit that drive by exploits were using. It really surprises me that it was possible using blobs and objects.
@@HonestAuntyElle Maybe you are thinking of Popunder - that's different, it's just a popup that appears underneath other windows. If something as simple as the download attribute isn't intended to be automatically clickable, I'm certain that would've been patched by Chrome a long time ago.
fancy seeing you here! yes, there are some legitimate uses for this behavior, albeit with a few more restrictions/safeguards. i just ... *facepalm* seeing stuff like this. i think back to all the "this is how dangerous flash is!" [despite never allowing such an easy drive-by] yet with javascript, they'll implement *extremely* exploitable features without the slightest of hesitation. and then they'll later ban/restrict the feature to the point of being useless when it gets exploited too easily.
as i understand, firefox and anything based around firefox are stuck in the world of needing to click "yes" every time. one of my current projects is inching close to this becoming an issue. just a few more features to refine or implement and then i need to handle the saving of user data.
@@ETXAlienRobot201 IMO this isn't really as big of a deal as people in the comments make it out to be, since the file is only downloaded and not opened - there's no way to forcefully open the file.
On the other hand, I can see how this could be abused if you could trick someone less tech savvy into thinking the downloaded file is just an ordinary button in the interface or something you have to click on to accomplish something. And like I said, I'm surprised it doesn't follow the same policy as pop-ups or autoplay where you need to interact with the page first before it's allowed, which I think would be reasonable for this.
Just sent you a raspberry robin malware sample, hope you'll find it useful to analyze.
It happened to me, and the weirdest thing was the file was totally blank! I opened it in a virtuall machine for more security.
The use of var is not recommended
The scariest thing is ads could easily use this technology and auto download stuff even if the websites the ads run on are legit
6:15 is where im at im making a comment to remember