Friday, April 17, 2015

The email that's watching you

Today's post contributed by Anthony Piron and Bart Leppens

Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.

The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.

We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue. The paper is called "The email that is watching you" (

For some of the attacks described in this paper we have created modules in BeEF. The following video demonstrates exploitation of IBM iNotes with BeEF using CVE-2014-0913 as described in our paper:

We hope that our paper and this video prove that Cross-Site Scripting is not merely an anecdotical thing, but a real-world attack vector with serious consequences.

Anthony Piron

Anthony has been an ICT professional for far too long: 15 years. He has worked non-exhaustively as a developer, dev ops, monitoring engineer, network specialist, project leader, and division manager. He has witnessed numerous foreseeable security fiascos. In his free time, he likes reading about and experimenting in the domains of computer science, hacking, security and mathematics.

Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. During his free time he spends a fair amount of time on (application) security. He likes contributing to the BeEF project and attending security conferences. Bart is not afraid of assembly code.


  1. The information you have posted is very useful The sites you have referred was good. Thanks for sharing.

    1. I have read your blog its very attractive and impressive. I like it your blog.

      Email Marketing India Email Marketing Services India

  2. Indeed decide this genre of fabulous domain you entertain thoroughfare should you be. Dazzling persuade lode in increase to a heinous triumph for the compatible outing currently i increment stunned you should desolate suggest accomplished this favorable of.eva wigs

  3. They will in all likelihood open and read your sends and if your offer is great, you stand a higher opportunity to make deals. You can likewise share valuable data, for example, industry news to your endorsers of keep them redesigned with the present pattern.

  4. Making use of collection processing computer software effectively is surely an important quandary expertise to view. For this rendezvous an individual exhilarated training collar a derisive alms.dallas web developer

  5. I laughed out loud, shed some tears … Scrambled Eggs is a theatrical feast for women of all ages and the men who love them!" and CBS’ Magee Hickey “I haven't laughed so hard in years. It's touching, poignant, funny and oh so very real."silver bow tie

  6. Really i appreciate the effort you made to share the knowledge.
    browser Help Number UK
    browser Helpline Number UK

  7. One can send and receive a mail either from his e-mail account from a web browser or an account configured in an e-mail program. temporary email address

  8. The rectification brings instant changes and rewards users by seeing their problems getting solved.
    extract emails

  9. There is so much in this promopays article that I would never have thought of on my own. Your content gives readers things to think about in an interesting way. Thank you for your clear information.

  10. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free.should i refinance home

  11. I blog frequently and I really thank Murcia you for your information. The article has truly peaked my interest. I will book mark your blog and keep checking for new information about once per week. I opted in for your RSS feed too

  12. Valuable information! Looking forward to seeing your notes posted. The information you have posted is very useful. Keep going on, good stuff. Thank you for this valuable information. I have enjoyed reading many of the articles and posts contained on the website, keep up the good work and hope to read some more interesting content in the future. Executive Protection

  13. I as of late had an astonishing chance to present this at Kiwicon 2014, and I was quick pest control in tucson az to get the code into BeEF. This blog entry gives a brief rundown of WebRTC and how it functions.

  14. your blog is very attractive and impressive. i appreciate to share the knowledge Web Hosting

    Obat Aborsi Cara Ampuh Penggugur Janin
    Obat Penggugur Kandungan Janin
    Jual Obat Aborsi Alsi
    Jual Obat Aborsi Penggugur Kandungan
    Obat Aborsi Obat Penggugur Kandungan, Jual Obat Aborsi Ampuh
    Obat Aborsi Cytotec
    Jual Obat Aborsi Cytotec
    Cara MenggugurKan Kandungan Janin

  16. Softhof is a reliable hosting company which offers web hosting in Pakistan, domain registration in Pakistan and VPS hosting in Pakistan. Softhof is provide web hosting in Pakistan and it is a specialized in windows hosting as well as Linux web hosting provider company in Pakistan, offers best web hosting services with free domain name. Softhof providing low cost web hosting in Pakistan, with free domain, reseller hosting, dedicated support and your satisfaction as the best web hosting company.
    Web Hosting in Pakistan

  17. You could use this phone locator for some interesting situations or for just having fun with your friends

  18. Hey!
    The information you have posted is very useful financing home construction The sites you have referred was good. Thanks for sharing.