HTML Smuggling Protection

HTML Smuggling is a stealthy technique that attackers use to deliver malicious files to a victim’s device, by exploiting the browser’s native capabilities. Instead of downloading files directly from an external server, which can be blocked by traditional security tools, HTML Smuggling embeds the payload inside specially crafted HTML or JavaScript files. When the user opens such a file in their browser, the malicious content is reconstructed locally and saved to the disk, effectively bypassing perimeter defenses like firewalls, proxies, and Security Gateways. This method is particularly dangerous because it can evade detection and facilitate sophisticated attacks, including ransomware or remote access Trojans, without triggering immediate alerts. Check Point's solution proactively detects and prevents HTML Smuggling attacks before they occur.

Note - HTML Smuggling is not inherently malicious. Legitimate services like WhatsApp Web and Telegram Web use similar techniques for secure file sharing and messaging. These platforms use JavaScript in the browser to locally assemble and process files, allowing users to send and receive content without exposing the data to intermediate servers. For example, when a user drags and drops a file into a chat, the browser packages the data locally before securely transmitting it. While this approach improves privacy and performance, it shares technical similarities with attacker methods, making it challenging for traditional security systems to distinguish between legitimate and malicious use cases.

Activating HTML Smuggling Protection

HTML Smuggling Protection is automatically enabled when you enable both of these features:

• In-Browser Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH.

  • In Custom Threat Prevention Policy, In-Browser Zero Phishing is enabled by default when you enable Zero Phishing.

  • In the Autonomous Threat Prevention Policy, go to Settings > Advanced Settings > Click the + sign, and from the drop-down menu, select In-Browser Zero Phishing. Click Apply.

• On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., enable HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.. See HTTPS Inspection.

Note - There is no manual way to enable HTML Smuggling Protection if you do not enable these features.

Disabling the HTML Smuggling Protection

To disable HTML Smuggling Protection:

1. Connect to the Security Gateway through SSH.

2. Change to Expert mode.

3. Run this command:

   zph att set html_smuggling_injection 0

4. Verify that HTML Smuggling Protection is disabled:

   From a client device, navigate to https://zp-demo.com/HtmlSmuggling.html

   If HTML Smuggling Protection is disabled, this test site is allowed.

HTML Smuggling Allow List

HTML Smuggling Protection includes a pre-configured allow list for trusted sites, such as WhatsApp Web and Telegram Web.

To add URLs to the pre-configured allow list:

1. Connect to the Security Gateway through SSH.

2. Change to Expert mode.

3. Create a file in this location with this exact file name:

   vi $FWDIR/conf/html_smuggling_white_domains_local.txt
   

4. Add the required URLs to the file.

5. Save the file and exit the editor.