If you come across a WebMail system that supports HTML email (no JavaScript) like GMail, Y! Mail, and Hotmail, then it's extremely helpful to know how exactly to send HTML email to test those anti-XSS filters. I don’t recall seeing a how-to on the subject anywhere in the webappsec circles. To send arbitrary HTML email, laced with filter evading JavaScript, requires only a specially crafted text file and a *unix command line. Copy / Paste the following into a plain text file (email.txt):
> sendmail -t email_recipient@domain.com < email.txt
The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!
MIME-Version: 1.0The trailing dot is not a typo, it terminates the end of the message so make sure the file always ends with it. Second, leave the Content-Type, Content-Transfer-Encoding, and MIME-Version headers as they are. Beyond that, you are free to modify and insert your HTML/JavaScript injections wherever you’d like including the email subject and content body. You can also spoof the return email address and add arbitrary email headers using the same format. Once you got something to want to send, well email, type this Unix command:
From: your.name
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: INSERT_SUBJECT
INSERT WHATEVER HTML/JAVASCRIPT CONTENT
.
> sendmail -t email_recipient@domain.com < email.txt
The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!
0 comments:
Post a Comment