WWW-based email

Since the methods discussed in this article are well known seasoned users, but vulnerabilities that allow one hundred percent guarantee to carry out hacking everywhere removed, it focuses primarily on the introduction of the principles of Web-mail Labour (and its shortcomings in terms of safety) for beginners.

Consider himself a principle by which to hack a mailbox through the WWW. We own www.po4ta.ru server and we need to get into the mail box [email protected]. Registering an account on this server blah blah [email protected] as the main occupation go in the settings of our newly minted box. Of greatest interest to us is the option "Change Password", where is proposed to introduce the newly password, confirm it and send data.

Change Password
Enter the newly password:
Re-enter:


HTML-code for this page could look like this:

There change_pass.php - server-side script that takes pass1 values, pass2 (password confirmation) and username (the contents of the hidden field that indicates the password change is made on exactly which drawer)
If form meets both GET-request, polchutsya the following line:
http://po4ta.ru/change_pass.php?username=test&pass1=НОВЫЙ_ПАРОЛЬ&pass2=НОВЫЙ_ПАРОЛЬ

Now paste the following link into the address bar of the current window of our browser and will send data to the server. As a result, we get a notice that the password was successfully changed [email protected] box. But what if you try to fake variable username and change the password on the box of interest to us. Referring:
http://po4ta.ru/change_pass.php?username= user & pass1 = new_password & pass2 = new_password
The server probably will give us a message like "You have made access to resources that require authorization" as TP. This means that change_pass.php, which processes the requests established that, the cookies have, recorded on our CD in the source of working session with the mail correspond to a user [email protected], but does not [email protected]. In addition to user authentication cookies can be made by IP-address or a special ID-key, which will be discussed later.

So the user has to send an inquiry itself, with [email protected] box. "Making the" user do this, you can send him a message to the JavaScript code, with the invention of which the data is automatically sent to the server with its IP and cookies. Examples of such code:

Or by POST:

All variables are set in the hidden fields, and when the user moves the mouse cursor on the body of our letter, OnMouseOver event handler updates the data. You can completely mask the password change process, modernizing the code:



MESSAGE TEXT


Table size 1000x1000 expands coverage onMouseOver handler, however, attribute target tag form loads the query result in the zero frame zeroFrame, now the process is completely hidden from the user's eye.


Perhaps because he worked the main mail server with the first WWW-interface. At present, it is time to break-in soap in this way can not be implemented. First on most servers today when changing a password, along with the new, proposed to introduce the old password. Secondly it is difficult to find a mail server, which allows you to execute JavaScript in the letters as an attached file.

mail filters

These are programs that reside on the server, they process incoming emails, cutting or altering them in the code, which contains potentially dangerous. So, for example script, after filtering may look Xscript or scripX. All programs in the script, in this case the container will not be in any way interpreted by the browser as we had planned. To bypass security filters allowed or finding ways of documenting the implementation of our code, not taken into account by developers postmen or hiding it, then eat a code reference in a modernized, neraspoznovaemom for a filter.
Consider other ways to fulfill the request, given in the previous sample.


The result changes the settings loaded into an invisible frame. An effective method, but in most email services already covered.



Rather than address the image is loaded from the address setting a password change. It will not work if the user disables the graphics in their recent findings browser. Regularly works on most servers. But in some, the sample www.rambler.ru, download URL through a special application redirect / http: //po4ta.ru/change_pass.php username = user & pass1 = new_password & pass2 = new_password?




The URL is loaded after pores X (s). This tag is currently working on www.hotbox.ru

Other vulnerabilities

Exploring the mailbox settings in the various soap servers, in addition to change the password without confirmation, allowed to find even a lot of fundamental flaws, which are allowed to use to take over someone else's box, read or delete messages as etc. Let us return to our post on www.po4ta.ru. "Forwarding" option is acquired. We perdlagaetsya enter one or more addresses to which emails are sent.



When we are in emails field, type the address [email protected] shipment, also confirm the change of settings by pressing the "Save" button, the page will load with a new form:



For the changes to take effect, terbium enter the confirmation code which is sent to the message [email protected]. Thus, we can acquire all incoming correspondence to the user of interest to us, if in turn send him a pair of HTML-letter, the main one of which contains the form settings forward, but in the other - with a special confirmation that we know the code. Such a scheme is "listening" foreign mailbox somewhat cumbersome, but there are numerous versions of the postmen, do not ask for a password to install pereadrisatsii letters.

Another significant gaps in the security policy of postal services is a change of the secret task objections, if this operation is not protected by a password confirmation. We can cut the user from his mailbox by updating the data is already known to us the methods, however, then use the password reminder to set your password.

More often, as soon as one touch of a button, some postmen deleted user account. Typical sample - www.yandex.ru. On the removal of the box requires a password, but the removal of the dual service - Site * .narod.ru - password not required. Elementary, allowed to delete the site a "victim" with the help of his mailbox querying: http://narod.yandex.ru/registration/unlogin.xhtml?DeleteLogin=%C4%E0, which allowed to hide in the tag IMG.

Unauthorized change other settings as well as at least represent a much smaller risk, but may indirectly affect the capture pochtvogo box
Change your personal information (name and so on)
Change contact information
Set filter
Clear XXXX folder
Submit a letter on behalf of the user
Install POP3 collector

ID-KEY

At the source of the article, we made a reservation, that in some cases uses a character identifier at work with the mail it is allowed to watch in your browser:



The introduction of such a system already does not allow us to perform a standard request, posoklku ID is generated each time the newly made entry into a mailbox, and destroyed later working session termination by pressing the "Exit" button. However, incorrect completion of the session it is possible to reuse identifier.
This is easily verified by copying the address to the clipboard, close the window and paste into the address bar of the new window - we were back in our box. Now, if the ID-key is not mapped to the IP-address (another kind of protection), in a similar way are allowed to penetrate into the box of a user, it is sufficient to intercept location field with the introduction of our message tags, which send a request on html-sniffer that in turn, the variable HTTP_REFERER logged in a file. The most artless way as usual, specify the return address sniffer alleged pictures:



log file - http://zero.h12.ru/stat/base.txt
A few addresses sniffers to eat on the site. In class, naspisat script that tracks with what address he receives request-five minutes of exercise, is much more difficult to find a hosting service to host it. An example of such a script on php:



Then look at the situation, at which time an alien ID is useless for us due to the fact that he was put in the user's IP address corresponds. Let's go back to the system, at which time the user himself, with his the IP, changing box settings by opening our letter. Suppose eat this option Block all incoming mail, and we would like to include it on someone's drawer.



The identifier is transmitted in a hidden field "id", so now in order to change the settings, you need the real pores get it as substitute. The first thing that has resorted to-JavaScript mind. It eat specialized object location, it also contains the URL of the active instrument. To get out of our location ID, use the substr () function.



Directly substr () to the location not working, so we add to it the # symbol, assign one variable, but then in another variable displays the results of calculations, then eat cut-ID key. Arguments substr (): x-position of the source line, x1-position on x. In line http://www.newpochta.ru/session?id=a349f8d7be67c90af8873fc7ad803cf5&folder=inbox identifier begins with the 36th position also has 32 characters, so the argument takes the form substr (36, 32);

Another means of obtaining ID - again blah blah use the script on your host. Found in send files:




ONCE AGAIN ABOUT FILTERS

When the web interface with the cookie-identification we sent requests to replace the standard configuration, can also use the simple HTML tags that work with using ID-key starts a direct need to implement in letter JavaScript- code, but developers mail servers cover this possibility filters of them mentioned above. Now let's talk about how to sell these filters. Use does not quite familiar methods that programmers often overlooked:



In fact, the JS here "hiding" in the values ​​of attributes of tags that work with URL and generated dynamically when loading the specified address.

Sometimes the filter is allowed to cheat a little by hiding the system from malicious html, so www.mail.ru on the inside of every tag allowed to introduce JS event handler. In nomralnom line mode



But if to remove the gap between the value and attribute handler, the filter will miss such a structure:



The flaw of this method is that to some extent there is a binding to a specific browser, because sometimes they tend to differently interpret the HTML-code.
Subsequent significant moment - the form in which to send the letter. If you attach a html-file, the integrity of the message will remain in the attachments, but in the body of the message desired settings can not be displayed. Therefore, it is advisable to send in HTML-format. This function supports some WWW-interfaces as POP3 email program. The Messaging Manager with next message does not become unable to move an attachment icon.

SUMMING UP

So, having aimed to penetrate the alien mailbox, we must first examine the system for vulnerabilities. Sometimes programmers allow significant error in writing scripts. Approximately every service has resumed forgotten password function. Usually, the login is entered on the first page, on the other objection to the secret task, but in the third, if the answer is correct - password change. For example, in the interest of us the system has serious gaps in the security system, but it is: we have responded correctly to a secret task also generate a new page with a form to change the password, but when considering the HTML of the page, found that user recognition occurs only in the variable field "username", that is, by substituting a different user name, change your password in another drawer. Or a variation: in exchange for the right objection issued ID, similar to that used during the working session with the mail. Perhaps getting the actual ID-key and substituting in hidden fields, the server will accept the new settings. Trusting these omissions, I think is absurd, because this is followed strictly as such errors are not repeated. Therefore, we will look for vulnerabilities in the principle of service organizations.

If you look at the web- mail to www.newmail.ru (nm.ru, pochta.ru, orc.ru, nightmail.ru, hotmail.ru), there once has such shortcomings. Referring again to resume the password option. It is proposed to answer the security problem, as if the answer is unmistakable - the password is sent to the configured e-mail. And though the answer as e-mail are on different pages within the mail, it is possible to change as well as the other, the more the filter does not cut even JavaScript. In addition to the password when resuming output another form, it is necessary to enter as permitted more data (they are blah blah settings box) and send the governor. As pre-assign any data to the right user - is already known.

Naturally, most postal workers blocked all but loopholes prkticheski always eat. And if in the penetration in the user box has a great interest to us or necessary, the receiving of it as allowed more information and developing a kind of "strategic" scheme presented in this article, the methods allowed to achieve good results.
Here are real-life examples. The attacker wants to get a password from a particular service, which uses the "victim" (not necessarily the e-mail, such as hosting). At the same time it is reliably known that the forgotten password will be sent to [email protected]. He sends this message bla bla box with html-tags:





After removing the account, it registers a new one with blah blah name is also gaining on her password.

Retaining the ability to penetrate with this blah blah in order to account on mail.ru. One message reset security settings



Now every time you approach the user is ID-key, and the IP-address is not taken into account, however, as has been discussed, if to intercept it with a sniffer, it is easy to be read also in the desired letter.

In conclusion, one day, I note that the information contained here, a long time ago is known more or less literate users, as all the blah blah approach to cracking the box through html, in my opinion today also alienates more results than brute force or social engineering. You just have to just find a weak premise as well as how to use it.