Friday, April 17, 2015

The email that's watching you

Today's post contributed by Anthony Piron and Bart Leppens

Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.

The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.

We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue. The paper is called "The email that is watching you" (https://bmantra.github.io/publications/the-email-that-is-watching-you.pdf)

For some of the attacks described in this paper we have created modules in BeEF. The following video demonstrates exploitation of IBM iNotes with BeEF using CVE-2014-0913 as described in our paper:



We hope that our paper and this video prove that Cross-Site Scripting is not merely an anecdotical thing, but a real-world attack vector with serious consequences.

-------------------------------------------
Anthony Piron

Anthony has been an ICT professional for far too long: 15 years. He has worked non-exhaustively as a developer, dev ops, monitoring engineer, network specialist, project leader, and division manager. He has witnessed numerous foreseeable security fiascos. In his free time, he likes reading about and experimenting in the domains of computer science, hacking, security and mathematics.

Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. During his free time he spends a fair amount of time on (application) security. He likes contributing to the BeEF project and attending security conferences. Bart is not afraid of assembly code.

18 comments:

  1. The information you have posted is very useful kite-projects.co.uk. The sites you have referred was good. Thanks for sharing.

    ReplyDelete
    Replies
    1. I have read your blog its very attractive and impressive. I like it your blog.

      Email Marketing India Email Marketing Services India

      Delete
  2. Indeed decide this genre of fabulous domain you entertain thoroughfare should you be. Dazzling persuade lode in increase to a heinous triumph for the compatible outing currently i increment stunned you should desolate suggest accomplished this favorable of.eva wigs

    ReplyDelete
  3. They will in all likelihood open and read your sends and if your offer is great, you stand a higher opportunity to make deals. You can likewise share valuable data, for example, industry news to your endorsers of keep them redesigned with the present pattern. https://dcit.newcastle.edu.au/education/2016/09/22/the-most-popular-email-services-in-the-world/

    ReplyDelete
  4. Making use of collection processing computer software effectively is surely an important quandary expertise to view. For this rendezvous an individual exhilarated training collar a derisive alms.dallas web developer

    ReplyDelete
  5. I laughed out loud, shed some tears … Scrambled Eggs is a theatrical feast for women of all ages and the men who love them!" and CBS’ Magee Hickey “I haven't laughed so hard in years. It's touching, poignant, funny and oh so very real."silver bow tie

    ReplyDelete
  6. Really i appreciate the effort you made to share the knowledge.
    browser Help Number UK
    browser Helpline Number UK

    ReplyDelete
  7. One can send and receive a mail either from his e-mail account from a web browser or an account configured in an e-mail program. temporary email address

    ReplyDelete
  8. The rectification brings instant changes and rewards users by seeing their problems getting solved.
    extract emails

    ReplyDelete
  9. There is so much in this promopays article that I would never have thought of on my own. Your content gives readers things to think about in an interesting way. Thank you for your clear information.

    ReplyDelete
  10. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free.should i refinance home

    ReplyDelete
  11. I blog frequently and I really thank Murcia you for your information. The article has truly peaked my interest. I will book mark your blog and keep checking for new information about once per week. I opted in for your RSS feed too

    ReplyDelete
  12. Valuable information! Looking forward to seeing your notes posted. The information you have posted is very useful. Keep going on, good stuff. Thank you for this valuable information. I have enjoyed reading many of the articles and posts contained on the website, keep up the good work and hope to read some more interesting content in the future. Executive Protection

    ReplyDelete
  13. I as of late had an astonishing chance to present this at Kiwicon 2014, and I was quick pest control in tucson az to get the code into BeEF. This blog entry gives a brief rundown of WebRTC and how it functions.

    ReplyDelete
  14. your blog is very attractive and impressive. i appreciate to share the knowledge Web Hosting

    ReplyDelete
  15. http://aborsi-tuntas.com/
    Obat Aborsi Cara Ampuh Penggugur Janin
    http://obat-aborsi99.com/
    Obat Penggugur Kandungan Janin
    http://klinikfarma.com/
    Jual Obat Aborsi Alsi
    http://situs-online.com/
    Jual Obat Aborsi Penggugur Kandungan
    http://obattelat-bulan.com/
    Obat Aborsi Obat Penggugur Kandungan, Jual Obat Aborsi Ampuh
    http://obat-aborsi-aman.com/
    Obat Aborsi Cytotec
    http://obataborsi-ampuh.com/
    Jual Obat Aborsi Cytotec
    http://jual-cytoteconline.com/
    Cara MenggugurKan Kandungan Janin

    ReplyDelete
  16. Softhof is a reliable hosting company which offers web hosting in Pakistan, domain registration in Pakistan and VPS hosting in Pakistan. Softhof is provide web hosting in Pakistan and it is a specialized in windows hosting as well as Linux web hosting provider company in Pakistan, offers best web hosting services with free domain name. Softhof providing low cost web hosting in Pakistan, with free domain, reseller hosting, dedicated support and your satisfaction as the best web hosting company.
    Web Hosting in Pakistan

    ReplyDelete