Netease mailbox cross-site Vulnerability

Text/DiagramWordlessRecently, I was very addicted to playing "back to German headquarters" with my friends. In fact, I have played this outstanding game a long time ago, and I still remember the scenes in it. In addition to the game, a friend sent me a text message notifying me to send me some photos of him in Nanjing, asking me to go to my mailbox and check him. So I quickly stopped the game and logged on to my mailbox. First, I declare that my mailbox is Netease's free mailbox, and I feel Netease's mailbox is still good. After logging on to my mailbox, I looked at the man's photo in Nanjing and recalled his time in Nanjing. How much I was at that time ...... Sorry, I ran the question. I still went back to my mailbox and looked at me. The photo sent by a friend seems to be a webpage file. Does Netease mail support parsing scripts? I remember reading an article many years ago. In that article, the author analyzed the existing mailbox systems, such as QQ mailbox, Netease mailbox, and Sina mailbox. It seems that all of them have XSS script vulnerabilities, all of this is because these Web-based email systems ignore the security when parsing scripts, resulting in malicious cross-site attacks. In fact, the reason why Web mail supports script Parsing is to make the mail look more vivid and beautiful, but security is inversely proportional to the service, this resulted in an instant "Mailbox war ". After a while, it is hard to say that Netease will have an XSS vulnerability? Since it is necessary to explore the XSS vulnerability of Netease mailbox again, and the recent games are coming back to the past, use the word "back" to describe this vulnerability discovery journey. First, I did not test the XSS vulnerability on the email content. Because I noticed that if you use Netease's mailbox as an activation mailbox for a forum, the activation link sent from the Forum to Netease's mailbox is stored in the mail content in the form of common text, which means that, in general, netease should filter the script code in the email content. As for the filter rigor, I will not discuss it too much here. Since the mail content is not selected as the test target, where should we put the XSS test statement? Let's take a look at the content of an email written in NetEase mail? 1. Figure 1 shows that in addition to the content of an email, you must enter the recipient, subject, and attachment. The recipient is the email Sending address. The content should be strict and cannot be modified easily. What about the subject? As a result, I concentrated on the test of the mail subject. The first test statement is <iframe src = http://www.blackunion.cn> </iframe> (note that the double quotation marks on both sides are not included ). This code is a simple XSS statement, which means to use the Framework to openHttp://www.blackunion.cnThis website. After selecting the recipient, I directly click send. What is the result? 2. I don't want to say anything more, do I? Obviously, the XSS test statement we entered was executed. In the small rectangular box on the right of the image, you can see that it is displayed on the homepage of my website. Figure 2 shows that our "return" journey was successful, and Netease's mailbox did not properly filter external scripts, or even simply did not filter. However, we should pay attention to the details when using this vulnerability, because our script statements are placed in the "topic, netease mail's "subject" content will be displayed in the inbox, as shown in 3. The circled part in the figure is the mail subject. If we put the statement directly in the topic, once the user opens the inbox, we will see the XSS statement, and people with a little knowledge will delete this mail. However, we also noticed that Netease's mailbox has a length when displaying the topic, so once the topic content is too long, it will use the ellipsis to omit the excessive part, that's why we see in Figure 2 that the first part of my topic is "aaaaaaaaaaasssss. Figure 3 What can this vulnerability do? I think everyone has more wisdom than me, so I will not elaborate on it. Netease has had such a problem for a long time. It is a pity, but it still hopes that it can make up for the vulnerability as soon as possible and live up to the expectations of our loyal Netease mailbox users.