Wednesday, January 22, 2014

Kriss Kross Site Scripting in Ability Mail Server - CVE-2013-6162

Cross Site Scripting

Cross Site Scripting (XSS) is a type of attack where an attacker can have a legitimate website or web application send a payload, usually JavaScript, to their user's browsers. The user's browser will then receive this payload and execute whatever it may be. Essentially, the attacker is taking advantage of the fact that the browser is going to trust that whatever the web application is sending is trustworthy and will execute it with no questions asked. Cross Site Request Forgery (CSRF) is the opposite of this where the web application will trust that whatever actions the user's web browser is requesting to perform are trustworthy and will execute them with no questions asked. We'll get to CSRF in a later post. You can read more about XSS and its various flavors here.

Anyways, XSS is often disregarded as low impact because the quintessential XSS proof of concept is usually throwing up an alert box. Big whoop. Well, not so fast...It is number three on OWASP's Top 10 (CSRF is number 8) so there's gotta be more to it. Let's dig in.


CVE-2013-6162 is a XSS vulnerability I discovered in Ability Mail Server 3.1.1. It's a fairly simple XSS vulnerability to demonstrate, but I think it serves as a good example of what kind of impact XSS can have. After installing Ability Mail Server (AMS) and installing the webmail component of AMS, we created a victim account to do our testing on.

First things first, we will fuzz the various fields of an email. This can range from injecting JavaScript in the From, To, Subject, Date, etc. fields and seeing if you can trigger an alert box. Eventually we try injecting into the body of the email 

Once we run that script we log in with the victim account and view the email.

Success! We've been able to get the browser to execute JavaScript of our choosing.

Now, the normal XSS attack involves dumping the user's cookie and attempting to login as the user via a replay attack. Unfortunately, I didn't get a cookie when I attempted this. So, what else could we do? I never attempted using BeEF via XSS, only through the demo site so I decided to check it out. BeEF is a tool that you can use to execute commands against a victim's browser. The main stipulation is that the user must load the hook.js script which allows all of the magic. BeEF is a really great tool and you can read more about it here. I updated my proof of concept to load the hook.js script, fired up BeEF in Kali, and fired away.

Upon opening the email...


I have not had the opportunity to load BeEF via XSS before so this was a new wrinkle.

While this CVE deals with XSS and violating the trust that a browser has in a website, I was able to leverage this vulnerability into a CSRF attack. I'll detail that in another post.


  1. Is this some kind of a cyber virus for windows?. How can we all protect our systems from this dangerous virus if it is one?.

  2. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or learn thru Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai

  3. Its a wonderful post. You have shared detailed description of the substance which is quite helpful for the students. Anyways, the students looking for their homework help can get in touch with paper writing service.

  4. I have been looking for this information for the whole day. I didn't even think that I will find it. Fortunately, I did it.

  5. I really enjoy reading of your article. I wanted to inform you that you have people like me who appreciate your work. no wifi games

  6. Confront your cheating spouse with evidence, i was able to spy on my cheating ex phone without finding really helped me during my divorce can contact BESTAPPSHACKERS@GMAIL.COM) call and text him whatsapp +1(602) 609-4730 for spying and hacking social networks, school servers, icloud and much more, viber chats hack, Facebook messages and yahoo messenger, calls log and spy call recording, monitoring SMS text messages remotely, cell phone GPS location tracking, spy on Whats app Messages, his services are AFFORDABLE .............179800

  7. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: