Friday, February 12, 2016

MHTML: x-usc - A feature from the past


What is mhtml ?


For those who have never saved a complete web page in Internet Explorer, mhtml or its extensions .mht is most likely unknown. MHTML stands for MIME Encapsulation of Aggregate HTML Documents. Wikipedia describes it as a "web page archive format used to combine in a single document the HTML code and its companion resources that are otherwise represented by external links (such as images, Flash animations, Java applets, and audio files)".
It caused some troubles in the past, but I am not talking about those problems.


mhtml: handler - Internet Explorer


The mhtml handler can be used to specify a specific file inside a .mht file. It is used like this:

<img src="mhtml:http://example.com/file.mht!/image/image.jpg">

But it can do more than this. The interesting feature is how external links are implemented inside .mht files. It uses the x-usc: directive. This directive works always, no matter what file or what web page is addressed and also in the context of html pages. All you need is to specify the mhtml: handler.
Copy & paste the following url into the address bar of Internet Explorer:

mhtml:http://google.com/whatever!x-usc:http://bing.com

Look closely at the requests IE will send. It will fetch google.com as well as bing.com, which is then displayed. This can be concatenated even more:

mhtml:http://google.com/blubb!x-usc:mhtml:http://bing.com/dolphin!x-usc:http://example.com

Side Note: Edge does not recognize mhtml: via Copy&Paste. But when you change the location via JavaScript to a mhtml: uri, it works the same as in IE.

Of course this feature can be used in img tags, iframe, embed etc. Also any redirects in any of the concatenated web sites will be followed.

Have Fun playing with this feature, I have not discovered any important vulnerability so far :/