INSTANT File Downloads with JavaScript

fyi, there's a Chrome setting "Ask where to save each file before downloading" which will pop up a file dialog for each download before it actually gets saved out. I like it because I usually want to download to somewhere other than my downloads folder, but it also provides an additional click needed for when a random site tries a drive-by download

benjins

I like how browsers need the user to interact to play audio but not download files

dongler

Accidently clicking a sketchy search result, then seeing something random automatically downloading is kinda scary.

The_Fancy_Duck

Just wanna say that I appreciate how you zoom everything in to make things easier to see! A lot of videos miss that and turn watching the video into a big hassle, especially for people on mobile. Thank you!

navybIue

The fact that you have such broad knowledge in this industry and remain so humble, while explaining these things to less experienced people like me is a skill in itself. Your uploads are the highlight of my day. Thank you

youhaveafriendinme

basically, the browser should by design block intrusive downloads, by not allowing it to download without some sort of user interaction, but much like the fullscreen request and audio and video auto playing it can be bypassed by calling the click function on an anchor element

Shadownrun

I found this fascinating. There have been times when I have asked acquaintances to test run executables I was working on (hobbyist, nothing malicious.) But e-mail servers don't like executable files as attachments. For a while, I could just change the extension and ask them to change it back. But then e-mail providers started detecting what might be disguised executables.

PvblivsAelivs

You make everything look so easy! Its so satisfying to watch you fly around a screen doing all this stuff.

mossdem

I love that you briefly showed Googling something, landing on MDN (frontend bible)!

I've been doing web development for 15+ years, and that's always my go-to move to learn something I don't understand!

kh_trendy

This is insane. This is awesome. Definitely could see this in spear phishing / social engineering attempts.

JeffNoel

I've noticed <embed> also downloads files automatically when it's a filetype you can't render in the browser. Never thought much about it, but it can be used for the same purpose I guess...

nero

Thanks for the video. I really like how you incorporate the fast forward effect when looking for information.

list

Quick tip: VSCode has a really good extension called Live Server. You won't need to deploy a separate py server anymore for simple tasks like serving static pages.

HT

Thanks for sharing this knowledge. I've seen this in wild but now I know how to identify them. Great stuff!

velho

HTML Smuggling is a fun technique. We saw a bunch of XLL and DOCM encoded files when this first come out, but now we see container files like ISO since it does not propagate Mark of the Web ADS.

auto

awesome video! I been working on setting up auto download for pdf files for a client on the web. nothing payload wise but I am always trying to expand my JavaScript knowledge

angryanubisart

wow, i just learned more in 21 minutes than the last year i poked around in notepad++. finally a youtuber with some substance! awesome.

zaubermaus

I'm pretty sure I've heard of something similar being done with hover-over triggers. Of course, it's not perfectly drive-by, but regular in its maliciousness that you can simply bring your cursor _over_ an ad and it automatically fires a redirect or download event. I was sort-of expecting that to be in the discussion here, but the anchor functionality is also pretty nifty.
(also, doesn't matter because Jscript, but missing semi-colons on lines 15 and 32)

Bulldogg

Love these videos. Thank you john for teaching all of us how it's done. :)

jacobebrock

Very excited for this one, always wondered that lol

robertwouda