Wednesday, January 22, 2014

Kriss Kross Site Scripting in Ability Mail Server - CVE-2013-6162

Cross Site Scripting

Cross Site Scripting (XSS) is a type of attack where an attacker can have a legitimate website or web application send a payload, usually JavaScript, to their user's browsers. The user's browser will then receive this payload and execute whatever it may be. Essentially, the attacker is taking advantage of the fact that the browser is going to trust that whatever the web application is sending is trustworthy and will execute it with no questions asked. Cross Site Request Forgery (CSRF) is the opposite of this where the web application will trust that whatever actions the user's web browser is requesting to perform are trustworthy and will execute them with no questions asked. We'll get to CSRF in a later post. You can read more about XSS and its various flavors here.

Anyways, XSS is often disregarded as low impact because the quintessential XSS proof of concept is usually throwing up an alert box. Big whoop. Well, not so fast...It is number three on OWASP's Top 10 (CSRF is number 8) so there's gotta be more to it. Let's dig in.


CVE-2013-6162 is a XSS vulnerability I discovered in Ability Mail Server 3.1.1. It's a fairly simple XSS vulnerability to demonstrate, but I think it serves as a good example of what kind of impact XSS can have. After installing Ability Mail Server (AMS) and installing the webmail component of AMS, we created a victim account to do our testing on.

First things first, we will fuzz the various fields of an email. This can range from injecting JavaScript in the From, To, Subject, Date, etc. fields and seeing if you can trigger an alert box. Eventually we try injecting into the body of the email 

Once we run that script we log in with the victim account and view the email.

Success! We've been able to get the browser to execute JavaScript of our choosing.

Now, the normal XSS attack involves dumping the user's cookie and attempting to login as the user via a replay attack. Unfortunately, I didn't get a cookie when I attempted this. So, what else could we do? I never attempted using BeEF via XSS, only through the demo site so I decided to check it out. BeEF is a tool that you can use to execute commands against a victim's browser. The main stipulation is that the user must load the hook.js script which allows all of the magic. BeEF is a really great tool and you can read more about it here. I updated my proof of concept to load the hook.js script, fired up BeEF in Kali, and fired away.

Upon opening the email...


I have not had the opportunity to load BeEF via XSS before so this was a new wrinkle.

While this CVE deals with XSS and violating the trust that a browser has in a website, I was able to leverage this vulnerability into a CSRF attack. I'll detail that in another post.


  1. Is this some kind of a cyber virus for windows?. How can we all protect our systems from this dangerous virus if it is one?.

  2. Its a wonderful post. You have shared detailed description of the substance which is quite helpful for the students. Anyways, the students looking for their homework help can get in touch with paper writing service.

  3. I have been looking for this information for the whole day. I didn't even think that I will find it. Fortunately, I did it.

  4. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: 

  5. Never met any hacker as discreet and fast like this Best System Hackers. They are called WhiteHats and they has helped me in multiple ways first was when my ex spouse cheated on me- they got me every information from my spouse phone number and now they are helping me paying my credit cards debts. They have the best hacking tools plus service any one can ever imagine and I recommend him to the world. I am thankful and grateful for the second chance. Honestly, Best System hackers are life savers please contact them here if you need their swift service Email; or text him on WhatsApp +1 (559) 851-5537 he is very trustworthy.

  6. Wow this is awesome, very interesting article. I can imagine the energy and inspiration you have invested on this powerful combination of words. Many articles I come across these days do not really dive this deep to make it clear to their audience as you did. But believe me the way you interact is literally 100% perfect. I will instantly grab your rss feed to stay informed of any updates you make on your blog and as well take the advantage to demonstrate
    5 WAYS TO SPOT A FAKE DRIVERS LICENSE WITH NO DMV RECORD which many people are ignorant of when ordering fake documents online. Not over demanding I will also take the advantage to ask for your permission to join our 179.3k members TELEGRAM GROUP
    to share with us your ideas or any latest update on your blog.
    Thanks I am Scott from Globex, we are expecting you on our platform

  7. Knowit ERP provide erp software for steel rolling mill. we provides many capabilities specifically targeted to integrated mills, mini-mills, and rolling mills.
    Manufacturing software
    ERP solutions for steel coils industry
    Metal fabrication ERP software
    erp software for Steel channel manufacturing in india

  8. An eco-friendly wardrobe with brands that are committed to fair trade can make this world a better place. Check out the handmade ethical clothing at Equal Hands.handmade ethical brands best ethical jewelry brands ecologically sustainable lifestyle brand
    sustainable lifestyle brand

    sustainable women's clothing and accessories
    Ethical home goods

  9. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up. Meanwhile visit our website for project for nmims

  10. Thanks for sharing such amazing content. Really loved to read such content. Keep posting such content in future as well. Punjab assignment help,

    USA assignment help

  11. Superbly written article. If you are a computer engineer and you don't know what is a putty key generator? Then view our blog about PuttyKey Generator. It will help you to get all knowledge about a putty key.

  12. Do you need your credit fixed in order to qualify for a loan, I recommend 760Plus Credit score. They helped me achieve my long term dream of becoming a home owner. I think they are the best right now; they are highly rated in many credit forums. You can reach out to them today for any credit related issues, thank me later. Contact them via mail at 760pluscreditscore at gmail dot com.