This page has been robot translated, sorry for typos if any. Original content here.

WWW E-MAIL INTERFACE

Since the methods discussed in this article have long been known to experienced users, however, the vulnerabilities that allow hacking with a 100% guarantee have been eliminated everywhere, it is aimed primarily at introducing beginners to the principles of Web-mail (and its security flaws).

Let us personally consider the principle by which a mailbox is hacked through WWW. We own the server www.po4ta.ru we also need to get into the mail box user@po4ta.ru . We register an account on this bla server test@po4ta.ru also the main occupation is going to the settings of our newly-made mailbox. Of greatest interest to us is the option "Change Password" , in which place it is proposed to enter a new password, confirm it, and also send data.

Change Password
Enter the new password:
Repeat entry:


The code for such an HTML page might look like this:

Here, change_pass.php is a server script that takes the values pass1, pass2 (password with confirmation) and username (the contents of a hidden field that indicates which box the password is being changed)
If you generate the corresponding GET request, the following line will result:
http://po4ta.ru/change_pass.php?username=test&pass1=NEWPASSWORD&pass2=NEW PASSWORD

Now insert this link in the address bar of the current window of our browser, and also send the data to the server. As a result, we receive a notice that the password in the test@po4ta.ru mailbox has been successfully changed. But what if we try to fake the value of the username variable and also change the password on the mailbox we are interested in. We send:
http://po4ta.ru/change_pass.php?username= user & pass1 = NEW_PASSWORD & pass2 = NEW_PASSWORD
The server is likely to give us a message like "You made access to resources that require authorization" also TP. This means that change_pass.php , which processes the requests, has determined that cookies written to our disk at the source of the work session with the mail correspond to the user test@po4ta.ru , but in no way user@po4ta.ru . In addition to cookies, user identification can be done by IP-address or a special ID-key, which will be discussed later.

So the user is forced to send the request himself, from the mailbox user@po4ta.ru . To "force" the user to do this, you can send him a message with a JavaScript code, upon the invention of which the data is automatically sent to the server with his IP cookies as well. Examples of such code:

Or by the POST method:

We set all variables in hidden fields, also when the user hovers the mouse cursor over the body of our message, the OnMouseOver event handler updates the data. You can completely mask the process of changing the password by upgrading the code:



MESSAGE TEXT


A table of 1000x1000 size extends the scope of the onMouseOver handler, however, the target attribute of the form tag loads the result of the query into the zeroFrame zero frame, now the process is completely hidden from the user's eye.


Perhaps this is how the main mail server worked with the first WWW interface. At present, it is impossible to break the soap in this way. Firstly, on most servers today, when changing the password, along with the new one, it is proposed to enter the ancient password. Secondly, it is difficult to find a mail server that allows JavaScript to be executed in emails of attached files as well.

Mail filters

These are programs that are located on the server, they process incoming letters, cutting or changing the code containing potential danger in them. So, for example, a script, later filtering may look like Xscript or scripX. The entire program located in the script container in this case will not be interpreted by the browser in any way as we planned. Bypassing protection with filters is allowed either by searching for documented methods of implementing our code that have not been taken into account by the developers of the mailers, or by hiding it, then eat sending the code in a modernized form that is not recognized by the filter.
Consider other ways to execute the query in the previous sample.


The result of a setting change is loaded into an invisible frame. Effective way, but on most mail services already covered.



Instead of the image address, the configuration address with a password change is loaded. It will not work if the user disables the graphics in his browser. It functions correctly on most servers. But on some, to the sample www.rambler.ru , the URL is downloaded through a special application redirect / http: //po4ta.ru/change_pass.php? Username = user & pass1 = NEW_PASSWORD & pass2 = NEW_PASSWORD




The specified URL is loaded after the expiration of the pore X (sec). This tag is currently running on www.hotbox.ru

Other vulnerabilities

Examining the settings of mailboxes on various soap servers, in addition to changing the password without confirmation, it is allowed to find many more fundamental flaws, using which it is allowed to take over someone else's mailbox, read or delete messages, etc. Let's get back to our mail at www.po4ta.ru . We get the option "Forwarding" . We are asked to enter one or more addresses to which letters will be forwarded.



When we specify the forwarding address test1@po4ta.ru in the emails field, we also confirm the settings change by clicking the "Save" button, the page will load with a new form:



For the changes to take effect, it is required to enter a confirmation code, which is sent by a message to test1@po4ta.ru . Thus, we can acquire all incoming correspondence of the user we are interested in, if we send him a couple of HTML letters one by one, the main of which contains the type of forwarding settings, but in the other there is a confirmation with a special code known to us. This scheme of "listening" to someone else's mailbox is somewhat cumbersome, but many versions of mailers that do not require a password for setting message forwarding have been preserved.

The next significant gap in the security policy of mail services is the change of the secret task and objection, if this operation is in no way protected by password confirmation. We can cut off the user from his mailbox by updating the data by methods already known to us, but then, using the password reminder service, set your password.

Even more often, with just the click of a button, a user account is deleted in some mailers. A typical sample is www.yandex.ru . A password is requested to delete the box, but no password is required to delete the associated service - the * .narod.ru site. Elementary, it is allowed to delete the site of the “victim” using his mailbox by executing the request: http://narod.yandex.ru/registration/unlogin.xhtml?DeleteLogin=%C4%E0 , which is allowed to hide in the IMG tag.

Unauthorized changes to other settings, although they also pose a significantly lower risk, can indirectly affect the mailbox capture.
Change personal information (name also etc.)
Change contact information
Set filter
Empty XXXX folder
Send email as user
Install POP3 Collector

ID KEY

At the source of the article, we made a reservation that in some cases a symbolic identifier is used, when working with mail it is allowed to observe it in the address bar of the browser:



The introduction of such a system no longer allows us to fulfill a standard request, since the ID is generated at each newly made entry into the mailbox, and is also destroyed after the end of the work session by pressing the "Exit" button. However, if the session ends incorrectly, it becomes possible to reuse the identifier.
This is easy to verify by copying the address to the clipboard, close the window and also paste into the address bar of a new window - we are back in our mailbox. Now, if the IP-address (another type of protection) is not mapped to the ID-key, it is similarly allowed to enter the box of another user, for this it is enough to intercept the location field by embedding tags in our message that send a request to the html-sniffer, which , in turn, logs the HTTP_REFERER variable in a special file. The simplest way, as usual, is to specify the sniffer address in return for the intended image:



Log file - http://zero.h12.ru/stat/base.txt
A few more sniffer addresses to eat on this site. In the lesson itself, writing a script that keeps track of which address the request is sent to it takes five minutes, it is much more difficult to find a hosting to host it. An example of such a script in php:



Next, we consider the situation at which time an alien ID is useless for us due to the fact that the user's IP address is assigned to it. Let us return to the system, at what time the user himself, with his IP, changes the settings of the box by opening our letter. Suppose to eat such an option Block all incoming mail , we would also like to enable it on someone else's mailbox.



The identifier is transmitted in the hidden field "id", so now, in order to change the settings, you need to get it in real time as well. The first thing that comes to mind is JavaScript. In it, eat the specialized location object, also it contains the URL of the active act. To get our identifier from the location field, we use the substr () function.



Direct substr () does not work with location in any way, so we add the # symbol to it, assign it to one variable, but then we enter the result of the calculation into another variable, then eat the cut-out ID-key. Arguments substr (): x-position from the source of the string, x1-position from x. In the line http://www.newpochta.ru/session?id=a349f8d7be67c90af8873fc7ad803cf5&folder=inbox, the identifier starts at the 36th position also owns 32 characters, so the arguments will take the form substr (36, 32);

Another way to get an ID is to use the script on your host again. We write in the file to be sent:




ONCE AGAIN ABOUT FILTERS

If on web interfaces with cookie-identification we sent standard requests for changing settings, we could also use simple HTML tags, then when working with ID keys, the direct need for embedding JavaScript code begins, but the developers of mail servers block this possibility with filters, talked about them above. Now let's talk about how to sell these filters. Use in no way quite familiar methods that programmers often overlook:



In fact, JS "hides" here in the values ​​of the tag attributes that work with the URL and is also generated dynamically when the specified address is loaded.

Sometimes a filter can be fooled by hiding the system from malicious html a little, so on www.mail.ru it is allowed to embed a JS event handler inside any tag. In nominal mode, the line



But if you remove the space between the attribute value and the handler, then the filter will skip such a construction:



The flaw of this method is that to some extent there is a binding to a certain browser, because sometimes they tend to interpret HTML code differently.
The next significant point is how to send the letter. If you attach the html-file, the integrity of the message will remain in the attachment, but the necessary parameters will not be displayed in the message body. Therefore, it is advisable to send in HTML format. This feature is also supported by some WWW interfaces as well as POP3 mail programs. At the same time, in the message manager, the icon of the attached file will not move near the message.

SUMMING UP

So, with the goal of penetrating an alien mailbox, you first need to examine the system for vulnerabilities. Sometimes programmers make significant mistakes in writing scripts. Nearly every service has the function of renewing forgotten passwords. Usually, the login is entered on the first page, on the other objection to the secret task, but on the third, if the answer is correct - change the password. Suppose that the system we are interested in has a serious security flaw, however, namely: we answered the secret task correctly, a new page with the password change form was also generated, however, when examining the HTML of this page, we found out that the user is recognized only by a variable in the field "username", namely, substituting a different username, change the password in someone else's box. Or such a variation: in exchange for a valid objection, an identifier is issued that is similar to that used during a work session with mail. Perhaps, having received the current ID-key and substituting it in hidden fields, the server will accept the new settings. To hope for such omissions, I think, is absurd, because this is monitored strictly also such errors do not repeat. Therefore, we will look for vulnerabilities in the very principle of service organization.

If you look closely at webmail at www.newmail.ru (nm.ru, pochta.ru, orc.ru, nightmail.ru, hotmail.ru) , then there are once such disadvantages. Let us again turn to the password renewal option. It is proposed to answer the secret task, also if the answer is error-free - the password is sent to the e-mail specified in the settings. And although the e-mail response is also in different pages inside the mail, it seems possible to change this as well, the more so the filter does not cut out even JavaScript. In addition to everything, when renewing the password, another form is displayed, you need to enter as much data as possible (they are so blah in the box settings) and send it to the ruler. How to preassign any data to the right user is already known.

Naturally, in most mailers, everything is blocked, but always have loopholes to eat. And if there is great interest or need for us to penetrate the user’s box, then having received more information about it as well as having developed a kind of “strategic” scheme from the methods presented in this article, it is allowed to achieve good results.
Here are real examples. An attacker wants to obtain a password from a specific service that the “victim” uses (not necessarily email, for example hosting). Moreover, he reliably knows that the forgotten password is sent to user@pisem.net. He sends a message with html tags to this blah blah casket:





After deleting the account, he registers a new one, with such a blah name also acquires a password on it.

The opportunity to infiltrate such a blah blah target also into an account on mail.ru remained . In one message we reset security settings



Now, with each next call, the user is given an ID key, and the IP address is not taken into account, however, as has already been considered, if you intercept it using a sniffer, it’s easy to be inside to also read the letter you need.

In conclusion, I note once again that the information presented here is long known to more or less literate users, also the approach to hacking a box through html was all the same, in my opinion it also alienates more results today than BrutFors or social engineering. You just need to find a weak room and also a way to use it.