This page has been robot translated, sorry for typos if any. Original content here.

WWW-E-MAIL INTERFACES

Since the methods discussed in this article have long been known to experienced users, however, vulnerabilities that allow with 100% guarantee of hacking everywhere are eliminated, it is aimed primarily at familiarizing the beginners with the principles of Web-mail work (and its security flaws).

Let's consider personally the principle by which a mailbox is hacked through the WWW. We own the server www.po4ta.ru also we need to get into the mail box user@po4ta.ru . We register the account on this bluetooth server test@po4ta.ru also the main occupation we go into the settings of our newly made box. The most interesting for us is the option "Change Password" , in which place it is proposed to enter a new password, confirm it also send data.

Change Password
Enter the new password:
Retype input:


The code for such an HTML page might look like this:

Here, change_pass.php is a server script that takes the values pass1, pass2 (password with confirmation), also username (the contents of the hidden field that indicates which box the password is being changed)
If you generate the corresponding GET request, the following line is sent:
http://po4ta.ru/change_pass.php?username=test&pass1=NEW_PASSWORD&pass2 = NEW_PASSWORD

Now insert this link into the address bar of the current window of our browser, and also send the data to the server. As a result, we get a notice that the password in the box test@po4ta.ru has been successfully changed. And what if we try to forge the value of the username variable and also change the password on the box we are interested in. We send:
http://po4ta.ru/change_pass.php?username= user & pass1 = NEW_PASSWORD & pass2 = NEW_PAROLE
The server is likely to give us a message like "You made access to resources that require authentication" also TP. This means that change_pass.php , which processes the requests, has determined that the cookies written to our disk at the source of the work session with the mail correspond to the user test@po4ta.ru , but in no way is user@po4ta.ru . In addition to cookies, user identification can be done by IP address or a special ID-key, which will be described later.

So the user is forced to send the request himself, from the user@po4ta.ru box. "Force" the user to do this, you can send him a message with the JavaScript code, when you invent which data is automatically sent to the server with his IP also cookies. Examples of this code are:

Or by the POST method:

All variables are set in hidden fields, also when the user hovers the mouse cursor on the body of our letter, the OnMouseOver event handler updates the data. You can completely disguise the process of changing the password by upgrading the code:



MESSAGE TEXT


A table of size 1000x1000 extends the scope of the onMouseOver handler, but the target attribute of the form tag loads the result of the query into the zero frame zeroFrame, now the process is completely hidden from the user's eye.


Perhaps this is how the main mail server worked with the first WWW-interface. At the present time it is impossible to make a break in soap in this way. Firstly, on most servers now when changing the password, along with a new one, it is proposed to enter the ancient password. Secondly, it is difficult to find a mail server, which allows you to execute JavaScript in letters also attached files.

Post filters

These are programs that are on the server, they process incoming messages, cutting out or changing the code containing the potential danger in them. So, for example script, later the filtering might look Xscript or scripX. The entire program found in the script container in this case will not be interpreted by the browser as we planned. Bypass filtering is allowed, or by searching for documented ways of implementing our code, not taken into account by the developers of the postal system, or by hiding it, then eating the code in a modernized, unrecognized for the filter form.
Let's consider other ways of fulfilling the query given in the previous sample.


The result of changing the setting is loaded into an invisible frame. Effective way, but on most mail services is already covered.



Instead of the address of the picture, the address of the configuration is loaded with a password change. It does not work if the user disables the graphics in his browser. Fits well on most servers. But on some, to the sample www.rambler.ru , the URL is uploaded through a special application redirect / http: //po4ta.ru/change_pass.php? Username = user & pass1 = NEW_PASSWORD & pass2 = NEW_PAROLE




The specified URL is loaded after the expiration of the pore X (sec). This tag is currently working on www.hotbox.ru

Other vulnerabilities

Exploring the settings of mailboxes on various soap servers, in addition to changing the password without confirmation, it is possible to find many more fundamental drawbacks, using which it is allowed to take possession of someone else's box, read or delete messages, etc. Let's return to our post on www.po4ta.ru . We get the option "Forwarding" . We are supposed to enter one or several addresses to which letters will be sent.



When we specify the forwarding address test1@po4ta.ru in the emails field, we will also confirm the change of settings by clicking the "Save" button, the page will be loaded with the new form:



In order for the changes to take effect, you need to enter a confirmation code, which is sent by a message to test1@po4ta.ru . Thus, we can acquire all the incoming correspondence of the user of interest to us, if we alternately send him a pair of HTML-letters, the main one of which is a kind of forwarding setting, but in the other, a confirmation with a special code known to us. This scheme of "listening" to someone else's mailbox is somewhat cumbersome, but many versions of the postal service that do not require a password to set up the message redirection have been preserved.

The next significant gap in the security policy of postal services is the change in the secret task, as well as objections, if this operation is not protected by password confirmation. We can cut off the user from his mailbox, updating the data already known to us methods, but then, using the password reminder service to set your password.

More often, just by pressing a button, in some mailers the user account is deleted. A typical example is www.yandex.ru . The password is requested to delete the box, but the password is not required to delete the conjugate service - the site * .narod.ru. Elementary, it is allowed to delete the site of the "victim" using his mailbox by executing the request: http://narod.yandex.ru/registration/unlogin.xhtml?DeleteLogin=%C4%E0 , which is allowed to hide in the IMG tag.

Unauthorized modification of other settings though also represents a significantly lower risk, but may indirectly affect the capture of the mailbox
Edit personal information (name, etc.)
Edit contact information
Install filter
Clear the XXXX folder
Send email as user
Install POP3 Collector

ID-KEY

In the source of the article, we made a reservation that in some cases a symbolic identifier is used, when it is possible to work with mail, it is allowed to watch in the address bar of the browser:



The introduction of such a system does not allow us to execute a standard query anyway, since the ID is generated at each new entry into the mailbox, and also destroyed later when the work session is finished by pressing the "Exit" button. However, if the session ends incorrectly, you can reuse the identifier.
This is easy to verify by copying the address to the clipboard, close the window and paste it into the address bar of the new window - we are back in our box. Now, if the IP-key is not mapped to an IP-address (another type of protection), similarly it is allowed to penetrate the casket of another user, for this it is enough to intercept the location field by introducing in our message the tags that send a request to the html-sniffer that , in turn, logs the HTTP_REFERER variable in a special file. The most ingenious way, as usual, is to specify the address of the sniffer in return for the alleged picture:



Log file - http://zero.h12.ru/stat/base.txt
A few more addresses sniffers eat on this site. In the class itself, writing a script that tracks from which address to it a request is received, a five-minute session, it is much more difficult to find hosting for hosting it. An example of such a script on php:



Next, consider the situation at what time an alien ID for us is useless due to the fact that it is put in accordance with the user's IP address. Let's return to the system at what time the user himself, with his IP, changes the settings of the box, opening our letter. Suppose we eat this option Block all incoming mail , also we would like to include it on someone's box.



The identifier is transmitted in the hidden field "id", so now, in order to change the settings, you need to get it in real time also to substitute it. The first thing that comes to mind is JavaScript. In it to eat a specialized location object, it also contains the URL of the active act. To get our identifier from the location field, use the substr () function.



Directly substr () with location does not work, so we add the symbol # to it, assign it to one variable, but then we enter the result of the calculation into another variable, then the ID-key is cut out. Arguments substr (): x-position from the source of the string, x1-position from x. In the line http://www.newpochta.ru/session?id=a349f8d7be67c90af8873fc7ad803cf5&folder=inbox the identifier starts from the 36th position and also has 32 symbols, so the arguments take the form substr (36, 32);

Another means of getting the ID is again to use the script on your host. We write in the file:




ONCE AGAIN ABOUT FILTERS

If on the web interfaces with cookie authentication we sent standard requests for changing settings, we could also use simple HTML tags, then when you work with ID-keys, the direct necessity of introducing JavaScript code starts in the mail, but the developers of mail servers overlap this possibility with filters, about them it was spoken above. Now let's talk about ways to sell these filters. Take advantage of not quite the usual methods that programmers often overlook:



In fact, JS here "hides" in the values ​​of the attributes of tags that work with the URL and is also dynamically generated when the specified address is loaded.

Sometimes the filter is allowed to cheat, hiding the system from malicious html a little, so on www.mail.ru inside of any tag is allowed to implement the JS event handler. In the nominal mode, the string



But if you remove the space between the value of the attribute and the handler, the filter will skip such a construction:



The flaw of this method is that, to some extent, there is a binding to a certain browser, because sometimes it is peculiar to them to interpret the HTML code differently.
The next significant point is how to send the letter. If you attach an html-file, then the integrity of the message will remain in the attachment, but in the body of the message the desired parameters will not be displayed. Therefore it is expedient to send in HTML-format. This function is supported by some WWW-interfaces also by mail programs POP3. In the message manager, the icon of the attached file does not move near the message.

CONCLUSIONS RESULTS

So, having set the goal to penetrate into an alien mailbox, first of all you need to investigate the system for the presence of vulnerabilities. Sometimes programmers allow significant errors in writing scripts. Approximately every service has the function of renewing forgotten passwords. Usually on the first page you enter a login, for another objection to a secret task, but on the third, if the answer is correct - change the password. For example, we have a serious security hole on the system of interest to us, but it's exactly: we answered correctly for a secret task, a new page with a password change form was generated, but when we looked at the HTML of this page, we found out that the user's recognition only takes place on a variable in the field "username", namely, substituting another username, changing the password in someone else's box. Either such a variation: in return for a correct objection, an identifier similar to that used during the work session with the mail is issued. Perhaps, having received the current ID-key also by substituting into hidden fields, the server will accept the new settings. I think it's absurd to be tempted by such omissions, because this is strictly followed, and similar errors are not repeated. Therefore, we will look for vulnerabilities in the very principle of service organization.

If you look closely at the web-mail on www.newmail.ru (nm.ru, pochta.ru, orc.ru, nightmail.ru, hotmail.ru) , then there are such shortcomings once there. Let's turn again to the option to renew the password. It is suggested to answer the secret task, also if the answer is error-free - the password is sent to the e-mail specified in the settings. And although the answer is also e-mail are in different pages inside the mail, it seems possible to change also the other, the more the filter does not even cut out JavaScript. In addition to all when the password is resumed, one more form is output, it needs to enter as more data is allowed (they are so well in the box settings) and send it to the ruler. How to pre-assign any data to the right user is already known.

Naturally, in most postal workers everything is blocked, but loopholes always exist. And if there is a great interest or need for penetration into the user box, if we get more information about it and develop a kind of "strategic" scheme from the methods presented in this article, we can achieve good results.
Here are real examples. An attacker wants to get a password from a specific service that the "victim" uses (not necessarily a mail service, for example hosting). At the same time he reliably knows that the forgotten password is sent to user@pisem.net. He sends a message to this blessing box with html-tags:





After the account is deleted, it registers a new one, with that name also acquires a password for it.

The opportunity to penetrate with such a good purpose also to the account on mail.ru has been preserved. Unset security settings with one message



Now, with each subsequent call, the user is given an ID-key, and the IP-address is not taken into account, however, as already discussed, if you intercept it using a sniffer, it is not difficult to be inside to read the necessary letter.

In conclusion, one more time I will note that the information presented here has long been known to more or less literate users, and all the good approaches to hacking the box through html, in my opinion also today alienate more results than BrutFors or social engineering. You just need only find a weak room and also a way to use it.