Tuesday, January 11, 2011

How-to send HTML email, XSS testing WebMail systems

If you come across a WebMail system that supports HTML email (no JavaScript) like GMail, Y! Mail, and Hotmail, then it's extremely helpful to know how exactly to send HTML email to test those anti-XSS filters. I don’t recall seeing a how-to on the subject anywhere in the webappsec circles. To send arbitrary HTML email, laced with filter evading JavaScript, requires only a specially crafted text file and a *unix command line. Copy / Paste the following into a plain text file (email.txt):
MIME-Version: 1.0
From: your.name

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Subject: INSERT_SUBJECT


INSERT WHATEVER HTML/JAVASCRIPT CONTENT


.
The trailing dot is not a typo, it terminates the end of the message so make sure the file always ends with it. Second, leave the Content-Type, Content-Transfer-Encoding, and MIME-Version headers as they are. Beyond that, you are free to modify and insert your HTML/JavaScript injections wherever you’d like including the email subject and content body. You can also spoof the return email address and add arbitrary email headers using the same format. Once you got something to want to send, well email, type this Unix command:

> sendmail -t email_recipient@domain.com < email.txt

The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!

5 comments:

alla said...

Taking that a step further, we have used RSnake's XSS Cheat Sheet for payloads and perl for automation, and ended up with Excess2 - webmail XSS tester.

oxdef said...

It can be also done using mitm proxy tools like burp and w3af. Simply intercept http request (sending mail) and add necessary payload.

Soroush said...

oxdef: we definitely need a system which doesn't have any filtration in sending the messages. Therefore, we should not use Gmail to send an arbitrary text/html if we want to have an accurate test.
The method which has been said here doesn't need any programming skill. However, if you can write your application, you can write a OS independent special fuzzer.
Jeremiah: Although you are not talking about a complete test here, I think it would be useful to say it. For example: several years ago, YahooMail had a XSS vulnerability which was exploitable by sending an HTML file with Plain/Text encoding with another extension such as ASP. I think everything should be tested (all header variables, attachments, encoding, non-header variables! And so on).

Matthew said...

We recommend that you create email accounts on widely used email services such as AOL, Gmail, Hotmail, and Yahoo and send a test copy of your HTML email to yourself.

HTML email software

Annie Monie said...

The next thing a subscriber will see is the body content of the email itself. This is of course the most complex part of the email and can include all manner of factors ranging from the text copy, to the layout and colours as well as the formatting and content. Once again it is wise to send out a split test campaign to test the waters. Many companies these days are doing split testing to see whether their rich media HTML mailers are faring better than plain text mailers. This is due to the increasing popularity of mobile email and the fact that HTML mailers often don't display well or even at all on some smart phones.



email testing