This page has been robot translated, sorry for typos if any. Original content here.

WWW E-MAIL INTERFACE

Since the methods considered in this article have long been known to experienced users, however, the vulnerabilities that allow you to completely break through with an absolute guarantee are eliminated everywhere, it is aimed primarily at introducing the principles of Web-mail work (and its security flaws) to beginners.

Consider for yourself the principle on which the mailbox is hacked via WWW. We own the server www.po4ta.ru also we need to penetrate the mail box user@po4ta.ru . We register an account on this bla bla server test@po4ta.ru also the main occupation we go into the settings of our newly-made mailbox. Of greatest interest to us is the option "Change Password" , in which place it is proposed to enter the new password, confirm it and send the data.

Change Password
Enter new password:
Repeat input:


The code for such an HTML page might look like this:

Here, change_pass.php is a server-side script that accepts the values ​​of pass1, pass2 (password with confirmation) and username (the contents of a hidden field that indicates which box the password is being changed)
If we form a corresponding GET request, the following line will be received:
http://po4ta.ru/change_pass.php?username=test&pass1=NEW_PASSWORK_passpass==NEW_PASSWORD

Now we will insert this link into the address bar of the current window of our browser, and also send the data to the server. As a result, we acquire a notice that the password in the box test@po4ta.ru has been successfully changed. And what if you try to fake the value of the username variable and also change the password on the mailbox we are interested in. We send:
http://po4ta.ru/change_pass.php?username= user & pass1 = NEW_PASSWORD & pass2 = NEW_PASSWORD
The server is likely to give us a message like "You have made access to resources that require authorization" also TP. This means that the change_pass.php , which processes requests, has established that the cookies written to our disk in the source of the work session with the mail correspond to the user test@po4ta.ru , but in no way user@po4ta.ru . In addition to cookies, user identification can be made by IP address or a special ID key, which will be discussed later.

So the user is forced to send the request himself, from the box user@po4ta.ru . You can “force” the user to do this by sending him a message with JavaScript code, in the invention of which the data is automatically sent to the server with its IP and cookies. Examples of such code:

Or using the POST method:

All variables are set in hidden fields, and when the user hovers the mouse over the body of our letter, the OnMouseOver event handler updates the data. You can completely mask the process of changing the password by upgrading the code:



MESSAGE TEXT


The 1000x1000 table expands the range of the onMouseOver handler; however, the target attribute of the form tag loads the result of the query into the zeroFrame frame, now the process is completely hidden from the user's eye.


Perhaps this was how the main mail server worked with the first WWW interface. At present it is impossible to break the soap in this way. First, on most servers now when changing a password, along with a new one, it is suggested to enter an ancient password. Secondly, it is difficult to find a mail server, which allows you to perform JavaScript in letters of attached files as well.

Post Filters

These are programs that are located on the server, they process incoming emails, cutting out or modifying in them code containing a potential danger. So, for example script, filtering may look like Xscript or scripX. In this case, the entire program located in the script container will not be interpreted in any way by the browser as we have planned. It is allowed to bypass filters with protection either by searching for documented ways of introducing our code, not taken into account by the mailer developers, or by hiding it, then eat sending the code in a modernized, unrecognized for the filter form.
Consider other ways to run the query in the previous sample.


The result of a setting change is loaded into an invisible frame. An effective way, but in most mail services is already covered.



Instead of the address of the picture, the address of the setting is loaded with changing the password. It will not work if the user disables graphics in his browser. It functions properly on most servers. But on some, to the sample www.rambler.ru , the URL is loaded through a special application redirect / http: //po4ta.ru/change_pass.php? Username = user & pass1 = NEW_PASSWARE & pass2 = NEW_PASS




The specified URL is loaded after the expiration of pores X (s). This tag is currently working on www.hotbox.ru

Other vulnerabilities

Investigating mailbox settings on various soap servers, in addition to changing the password without confirmation, it is allowed to find many more fundamental flaws that can be used to take over someone else’s box, read or delete messages, etc. Let's return to our mail on www.po4ta.ru . We gain the option "Forwarding" . We are asked to enter one or several addresses to which letters will be sent.



When we specify the shipping address test1@po4ta.ru in the emails field, also confirm the change of settings by clicking the "Save" button, the page will load with a new form:



In order for the changes to take effect, it is necessary to enter a confirmation code, which is sent by a message to test1@po4ta.ru . Thus, we can acquire all incoming correspondence of the user we are interested in, if we send him a couple of HTML letters in turn, the main one of which contains the type of transfer settings, but the other one is a confirmation with a special code known to us. Such a scheme for “listening” to someone else's mailbox is somewhat cumbersome, but there are still quite a few versions of mailers who do not request a password for setting the redirection of letters.

The next significant gap in the security policy of postal services is the change of the secret task and objections, if this operation is not protected by a password. We can cut off the user from his mailbox by updating the data already known to us methods, but then, using the password reminder service to set your password.

More often, with just one click of a button, in some mailers the user account is deleted. A typical sample is www.yandex.ru . A password is requested for the removal of the box, but a password is not required for the removal of the associated service — the site * .narod.ru. Elementary, it is allowed to delete the site of the "victim" using its mailbox by running the query: http://narod.yandex.ru/registration/unlogin.xhtml?DeleteLogin=%C4%E0 , which is allowed to hide in the IMG tag.

Unauthorized changes to other settings, although they also pose a significantly lower risk, may indirectly affect the seizure of the mailbox.
Change personal information (name also etc.)
Change contact information
Set filter
Clear XXXX folder
Send email as user
Install POP3 Picker

ID KEY

At the source of the article, we made a reservation that in some cases a symbolic identifier is used, when working with mail, it is allowed to be observed in the address bar of the browser:



The introduction of such a system does not allow us to perform a standard request in any way, because the ID is generated at each new entry into the mailbox, and is also destroyed after the completion of the work session by pressing the "Exit" button. However, if the session is terminated incorrectly, it becomes possible to reuse the identifier.
It is easy to check by copying the address to the clipboard, close the window and paste it into the address bar of the new window - we were back in our mailbox. Now, if the ID-key does not match the IP address (another type of protection), it is similarly allowed to penetrate the box of another user, it’s enough to intercept the location field by embedding tags into our message that send a request to the html sniffer, which in turn, logs the HTTP_REFERER variable in a special file. The most simple-minded way, as usual, is to specify the address of the sniffer instead of the intended image:



Log file - http://zero.h12.ru/stat/base.txt
A few more addresses snifferov eat on this site. At the very lesson, writing a script that tracks the address to which it receives a request — a lesson of five minutes — is much more difficult to find hosting for hosting it. An example of such a script in php:



Next, we consider the situation at which time the alien ID is useless for us due to the fact that the IP address of the user is assigned to it. Let's return to the system, at what time the user himself, with his IP, changes the settings of the box by opening our letter. Suppose to eat this option Block all incoming mail , also we would like to include it on someone's box.



The identifier is transmitted in a hidden "id" field, so now, in order to change the settings, you need to get it in the real time as well. The first thing that resorts to head-javascript. It has a specialized location object, it also contains the URL of the active act. To get our identifier from the location field, we use the substr () function.



Directly substr () does not work with location in any way, so we add the # symbol to it, assign it to one variable, but then enter the result of the calculation into another variable, then eat the cut-out ID key. Arguments substr (): x-position from the beginning of the line, x1-position from x. In the line http://www.newpochta.ru/session?id=a349f8d7be67c90af8873fc7ad803cf5&folder=inbox the identifier starts from 36th position also owns 32 characters, so the arguments take the form substr (36, 32);

Another way to get an ID is to use the script on your host again. Register in the sent file:




ONCE AGAIN ABOUT FILTERS

If on web interfaces with cookie-identification we sent standard requests for changing settings, we could also use simple HTML tags, then when working with ID-keys, there is a direct need to embed JavaScript code into a letter, but mail server developers block this possibility with filters about them mentioned above. Now let's talk about how to sell these filters. Take advantage of not quite the usual methods that programmers often overlook:



In fact, the JS is "hidden" here in the attribute values ​​of tags that work with the URL and is also dynamically generated when the specified address is loaded.

Sometimes the filter is allowed to be tricked , hiding the system a little from malicious html, so on www.mail.ru inside every tag it is allowed to inject the JS event handler. In the nominal mode string



But if you remove the space between the attribute value and the handler, then the filter will skip this construction:



The flaw in this way is that to some extent there is a binding to a specific browser, because sometimes they tend to interpret HTML-code in different ways.
The next significant point is how to send the letter. If you attach an html-file, the integrity of the message will be preserved in the attachment, but the necessary parameters will not appear in the message body. Therefore, it is advisable to send in HTML format. This function is supported by some WWW interfaces and POP3 mail programs. In the message manager, next to the message, the attached file icon will not move.

SUMMING UP

So, having set out to get into an alien mailbox, first of all you need to examine the system for the presence of vulnerabilities. Sometimes programmers allow significant errors in writing scripts. Approximately each service owns the function of recovering forgotten passwords. Usually, on the first page, a login is entered, on the other, an objection to a secret task, but on the third, if the answer is correct - a change of password. Suppose there is a serious security breach on the system that interests us, but precisely: we answered the secret task correctly, we also generated a new page with a password change form, however, when we looked at the HTML of this page, we found that the user only recognizes the variable in the field "username", namely, substituting another username, change the password in a foreign box. Or such a variation: in exchange for a valid objection, an identifier is issued that is similar to that used in a work session with mail. Perhaps, having received the current ID-key also substituting in the hidden fields, the server will accept the new settings. To hope for such omissions, I think, is absurd, because it is strictly followed that such errors are not repeated. Therefore, we will look for vulnerabilities in the very principle of service organization.

If you look at the web-mail on www.newmail.ru (nm.ru, pochta.ru, orc.ru, nightmail.ru, hotmail.ru) , then once there are such drawbacks. Refer again to the password recovery option. It is proposed to answer the secret task, also if the answer is error-free - the password is sent to the e-mail specified in the settings. And although the answer is also the e-mails are in different pages within the mail, it also seems possible to change something else as well, especially since the filter does not even cut out JavaScript. In addition to everything, when you renew a password, another form is displayed, you need to enter more data into it (as they are in the mailbox settings) and send it to the ruler. How to pre-assign any data to the desired user is already known.

Naturally, in the majority of postal workers everything is closed, but there is always a loophole to eat. And if there is a great interest or necessity for us to penetrate the user's box, having received more information about it and having developed a kind of “strategic” scheme out of the methods presented in this article, it is allowed to achieve good results.
Here are real examples. The attacker wants to get a password from a particular service that the victim uses (not necessarily a mail service, for example, a hosting service). At the same time, he reliably knows that the forgotten password will be sent to user@pisem.net. He sends a message with html-tags to this blah blah:





After deleting the account, he registers a new one, with such a blah blah name also acquires a password for it.

The opportunity to penetrate with such a blah blah also to the account on mail.ru has been preserved. In one message, reset the security settings



Now, each time the user logs in, the ID key is issued, and the IP address is not taken into account, but as has already been considered, if you intercept it using a sniffer, it is easy to be inside to also read the desired letter.

In conclusion, once again, I note that the information presented here has long been known to more or less literate users, as well as all the blah approach to cracking the box through html, in my opinion also today alienates more results than Brutus Forces or social engineering. You just need to find a weak room and a way to use it.