Friday, April 17, 2015

The email that's watching you

Today's post contributed by Anthony Piron and Bart Leppens

Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.

The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.

We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue. The paper is called "The email that is watching you" (https://bmantra.github.io/publications/the-email-that-is-watching-you.pdf)

For some of the attacks described in this paper we have created modules in BeEF. The following video demonstrates exploitation of IBM iNotes with BeEF using CVE-2014-0913 as described in our paper:



We hope that our paper and this video prove that Cross-Site Scripting is not merely an anecdotical thing, but a real-world attack vector with serious consequences.

-------------------------------------------
Anthony Piron

Anthony has been an ICT professional for far too long: 15 years. He has worked non-exhaustively as a developer, dev ops, monitoring engineer, network specialist, project leader, and division manager. He has witnessed numerous foreseeable security fiascos. In his free time, he likes reading about and experimenting in the domains of computer science, hacking, security and mathematics.

Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. During his free time he spends a fair amount of time on (application) security. He likes contributing to the BeEF project and attending security conferences. Bart is not afraid of assembly code.