Webmail Offensive and defensive Combat (3)

Web After the user completes the above steps correctly, the webmail system will let the user restore the password of their mailbox account. Password recovery methods are different, generally have the following several ways, the degree of security are different:

1, the page returns: Returns the page to display the user's mailbox password. So it is convenient, but if the attacker to get the password, you can not alarm users in the case of the use of the user's mailbox, allowing attackers long-term monitoring of user's mailbox use, to bring greater security risks to users.

2, send the message: the password sent to the user registration in another mailbox. For attackers, busy for a long time, still nothing, unless continue to attack another mailbox; For users, the password received in another mailbox is a warning that an attacker has guessed his mailbox password prompts a problem, forcing users to change their password prompts as soon as possible.

However, if the user registers the registration is not a correct mailbox, or the mailbox has expired, then, this is not only an attacker, is the user himself will never get the password. Some webmail systems require users to register the correct email address when registering, and send the authentication information of the mailbox to the email address, but this still cannot avoid the situation that the user cannot recover his or her mailbox password after the mailbox has expired.

3, Password reset: Let the user reset a password. This way, compared to the "page return" approach, after the attacker resets the password, the user can detect an attack because he or she is unable to log in to his or her mailbox properly, but the security is less secure than the "mail send" mode, because the attacker can change the password of the mailbox immediately.

The password returned by "page return" or "mail" shows that the e-mail system saves the password of the mailbox account directly in plaintext in the database or LDAP server, without encrypting it. This creates a great security risk, webmail system administrator or intrusion into the database attacker can easily access the user's mailbox password, the user is completely uninformed, so in order to increase confidentiality, it is necessary to encrypt the mailbox password and then stored in the database with ciphertext, preferably with irreversible one-way encryption algorithm, such as MD5.

Mailbox password recovery mechanism is safe, mainly to see what webmail system to ask what kind of questions, take what kind of question and answer method, for example, put forward in one step of multiple password recovery steps together, will correspondingly increase the difficulty of the attacker to improve security, like Sohu Mail, Sina Mail and Yahoo email are some disappointing examples.

Four, malignant HTML mail

E-Mail has two formats: Plain text (TXT) and hypertext (HTML). HTML messages are written in HTML, and when viewed via HTML-enabled mail clients or in a browser, fonts, colors, links, images, sounds, and so on, are impressive, and many spam ads are sent in HTML mail format.

With HTML mail, an attacker can spoof e-mail and even deceive a user into changing his or her own mailbox password. For example, an attacker can modify the various form elements of a page by parsing the webmail password. Design an HTML page that implicitly has the same form, assign a value to the new password form element in advance, and then send it to the user in an HTML message, tricking the user into saying that submitting a form or clicking on a link on the page can open a wonderful page , the user to do, in the open "wonderful Web page" at the same time, a modification of the Mailbox password form request has been sent to the webmail system, and all this, the user completely uninformed, until the next time can not log into their own mailbox.

To prevent this kind of HTML mail spoofing, when modifying a mailbox configuration, especially when modifying a mailbox password and prompting a problem, the webmail system is necessary to allow the user to enter an old password for confirmation, which can also effectively prevent the attacker who is loading the current webmail session (described below) from changing the mailbox password.

By embedding a malicious script in an HTML message, attackers can also do a lot of damage attacks, such as modify the registry, illegal operation of files, format the hard disk, exhaustion of system resources, modify the "Start" menu, etc., can even delete and send the user's mail, access the user's address book, modify the mailbox account password and so on. Malignant scripting is typically written in JavaScript or VBScript scripting languages, embedded in HTML language, and can be exploited by invoking ActiveX controls or combining WSH. Deeply modify the browser's malicious HTML page pain, the "Happy Time" mail virus bitter friends, this should not be unfamiliar. Here are two simple, malicious scripting programs:

1, open countless browser windows, until the CPU overload, not shutdown can not:

!--
while (true)
{
window.open ("uri");//If the URI is the current page itself, it is more destructive.
}
-->

2. Modify the Registration form: