Friday, April 17, 2015

The email that's watching you

Today's post contributed by Anthony Piron and Bart Leppens

Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.

The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.

We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue. The paper is called "The email that is watching you" (

For some of the attacks described in this paper we have created modules in BeEF. The following video demonstrates exploitation of IBM iNotes with BeEF using CVE-2014-0913 as described in our paper:

We hope that our paper and this video prove that Cross-Site Scripting is not merely an anecdotical thing, but a real-world attack vector with serious consequences.

Anthony Piron

Anthony has been an ICT professional for far too long: 15 years. He has worked non-exhaustively as a developer, dev ops, monitoring engineer, network specialist, project leader, and division manager. He has witnessed numerous foreseeable security fiascos. In his free time, he likes reading about and experimenting in the domains of computer science, hacking, security and mathematics.

Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. During his free time he spends a fair amount of time on (application) security. He likes contributing to the BeEF project and attending security conferences. Bart is not afraid of assembly code.


  1. The information you have posted is very useful The sites you have referred was good. Thanks for sharing.

    1. I have read your blog its very attractive and impressive. I like it your blog.

      Email Marketing India Email Marketing Services India

  2. Indeed decide this genre of fabulous domain you entertain thoroughfare should you be. Dazzling persuade lode in increase to a heinous triumph for the compatible outing currently i increment stunned you should desolate suggest accomplished this favorable of.eva wigs

  3. They will in all likelihood open and read your sends and if your offer is great, you stand a higher opportunity to make deals. You can likewise share valuable data, for example, industry news to your endorsers of keep them redesigned with the present pattern.

  4. Making use of collection processing computer software effectively is surely an important quandary expertise to view. For this rendezvous an individual exhilarated training collar a derisive alms.dallas web developer

  5. I laughed out loud, shed some tears … Scrambled Eggs is a theatrical feast for women of all ages and the men who love them!" and CBS’ Magee Hickey “I haven't laughed so hard in years. It's touching, poignant, funny and oh so very real."silver bow tie

  6. Really i appreciate the effort you made to share the knowledge.
    browser Help Number UK
    browser Helpline Number UK

  7. One can send and receive a mail either from his e-mail account from a web browser or an account configured in an e-mail program. temporary email address

  8. The rectification brings instant changes and rewards users by seeing their problems getting solved.
    extract emails