Research

White Papers

SMTP Injection via recipient email addresses

SMTP Injection is an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server for spamming purposes.

This paper describes a newly discovered attack technique utilizing crafted recipient email addresses, the attack mechanism and explains some vulnerability examples in email libraries on Java, Ruby, PHP and other platforms. Other attack techniques and countermeasures are also discussed.

Click to Download

A few RPO exploitation techniques

RPO (Relative Path Overwrite) is an elaborate attack technique publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO) to force the target Web page to load itself as a stylesheet, when it contains both-relative stylesheets and attacker-controllable contents.

This paper describes: path manipulation techniques specific to some client / server environments, a technique to forcefully enable IE's CSS expression using CV, attack possibility on non-stylesheet relative URLs, a related vulnerability discovered in CakePHP framework, and countermeasures.

Click to Download

Identifier based XSSI attacks

For years, Cross Site Script Inclusion (XSSI) has been known among Web security researchers that JavaScript file, JSONP and, in certain old browsers, JSON data are subject to this type of information theft attacks. Some browser vulnerabilities that allow attackers to gain information via JavaScript error messages have been discovered and fixed in the past.

This paper describes new attack techniques and browser vulnerabilities that allow attackers to steal simple text strings such as CSV, and more complex data under certain circumstances.

Click to Download

Attacking Android browsers via intent scheme URLs

Most major browsers for Android support intent scheme URLs. In general, intent scheme URL brings security risk as it gives malicious Web pages a chance to conduct intent-based attacks against installed apps. Therefore, browsers take measures to reduce the risk, but these measures are not necessarily enough.

This paper explains what an intent scheme URL is and presents three examples of Android browser's vulnerability related to intent scheme URL (including cookie file theft and universal XSS) and the countermeasure.

Click to Download

FilterExpression Injection attacks against ASP.NET applications

FilterExpression is a SQL-like filter language built in ASP.NET framework. Like SQL, injection attacks are possible if an application utilizes FilterExpression in an improper manner, which can result in data leakages under certain situations. This paper presents the “FilterExpression Injection,” its mechanism, impact, detection method and countermeasure.

Click to Download