Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you about how to build XSS worms on Atmail. The article is rich in content and analyzes and narrates from a professional perspective. After reading this article, I hope you can gain something.

preface

Atmail is a popular cloud service and e-mail hosting provider, currently used by companies, hosting providers and ISPs such as DreamHost, LegalShield (USA), m:tel(Bosnia), iiNet and Optus (Australia). As an Atmail user on DreamHost, I've seen several e-mail based XSS attacks that have impressed me while I've been focusing on bug rewards projects. I tried to find a security hole in their webmail client, and within hours I had developed a working Payload, but I wanted to go further and build an old XSS worm. The best-known XSS worm was the one that infected MySpace in 2005, and the latest variant of the worm infected TweetDeck in 2014.

I'm going to show you how to build an XSS Payload that propagates itself through target user contacts.

test environment

Before we start, we need to set up a simple test environment. We can send an email with the following command, and then plant the XSS test Payload in the message content:

cat content | mail -a "Content-type: text/html" -s "test" victim1@zjulian.com

Next, use Firefox's developer tools to see how the XSS Payload is rendered in the DOM of the Web mail client.

Build XSS Payload

The first step is to build an XSS Payload that bypasses Atmail content filters. I started by sending an email with all valid HTML tags and then seeing if it delivered, although I only intended to use

Labels. But, uh,

Tags are great for building XSS payloads, but the target user must choose to display images in Atmail before XSS can be triggered. So we have to use tags that don't require user interaction to render content, so we can improve the quality of the Payload.

Next, I started to investigate how Atmail clears Payload. Atmail To filter the content of the email and display syntactically correct markup information in the user browser, Atmail will

The characters and HTML attributes in the tag are modified. After researching Atmail, I found that Atmail only accepts src, alt, longdesc, style, height, and width attributes, and I also noticed that Atmail converts single quotes to double quotes, removes onerror events, and removes all attributes that do not contain src attributes.

Labels.

Although the onerror event has been removed, if you can

Using both single and double quotes in the tag may bypass Atmail's filtering mechanism. Obviously, this is feasible:

Here is what appears in the Web mail client: