MBSD Security Insight





Click to download▶

SMTP Injection via recipient email addresses

SMTP Injection is an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server for spamming purposes.

Among this class of attack, techniques using manipulated content (message body or header) have been published and known in the security community. Such previous researches are well covered in WASCfs page.

Mitsui Bussan Secure Directions, Inc. (MBSD) has conducted a research on this topic and discovered a new attack technique utilizing crafted recipient email addresses. This paper first describes the attack mechanism and then explains some vulnerability examples in email libraries on Java, Ruby, PHP and other platforms. Other attack techniques and countermeasures are discussed in the following chapters.

Click to download▶

A few RPO exploitation techniques

RPO (Relative Path Overwrite) is an elaborate attack technique publicized by Gareth Heyes in 2014. In essence, this attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a stylesheet, when it contains both-relative stylesheets and attacker-controllable contents.

In June 2015, MBSD conducted a research on this topic and discoverd some new attack techniques. In this paper, we first describe path manipulation techniques specific to some client / server environments in the next section. Then, some miscellaneous technical topics are described; a technique to forcefully enable IE's CSS expression using CV, attack possibility on non-stylesheet relative URLs, and a related vulnerability discovered in CakePHP framework. In the next section, countermeasures are described.

Note that this paper is not an extensive or detailed guide of RPO, but is focusing on new techniques on it. More extensive and detailed information on RPO can be found in the original blog post and PortSwigger's blog.

Click to download▶

Identifier based XSSI attacks

Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables attackers to steal data of certain types across origin boundaries, by including target data using SCRIPT tag in an attacker's Web page as below:

<!-- attacker's page loads external data with SCRIPT tag -->
<SCRIPT src="http://target.example.jp/secret"></SCRIPT>

For years, XSSI has been known among Web security researchers that JavaScript file, JSONP and, in certain old browsers, JSON data are subject to this type of information theft attacks. In addition, some browser vulnerabilities, that allow attackers to gain information via JavaScript error messages, have been discovered and fixed in the past.

In 2014, we conducted research on this old topic and discovered some new attack techniques and browser vulnerabilities that allow attackers to steal simple text strings such as CSV, and more complex data under certain circumstances. In the research, we mainly focused on a method of stealing data as a client side scripts's identifier (variable or function name).

In this paper, we first describe these attack techniques / browser vulnerabilities in the next section and then discuss countermeasures for these issues.

Click to download▶

Attacking Android browsers via intent scheme URLs

Intent scheme URL is a special type of URL which enables Web pages to launch activities of installed Android apps. Most of the major browsers for Android support intent scheme URLs.

In general, intent scheme URL brings security risk, as it gives malicious Web pages a chance to conduct intent-based attacks against installed apps. Therefore, browsers takes measures to reduce the risk but these measures are not necessarily enough.

In this report, we will first explain what an intent scheme URL is, then we present three examples of Android browser's vulnerability related to intent scheme URL (including cookie file theft and universal XSS), and lastly we show the countermeasure for these vulnerabilities.

Click to download▶

FilterExpression Injection attacks against ASP.NET applications

FilterExpression is a SQL-like filter language built in ASP.NET framework. Like SQL, injection attacks are possible if an application utilizes FilterExpression in an improper manner, which can result in data leakages under certain situations. We call such vulnerability or attack “FilterExpression Injection”, and we’ll present its mechanism, impact, detection method and countermeasure in this paper.

From a viewpoint of pentesters, FilterExpression Injection is troublesome, because it looks almost the same as SQL Injection at a glance. We think that it is necessary for pentesters to understand the mechanism of FilterExpression Injection and to distinguish it properly from SQL Injection, in order to avoid wasting time for pentest and to evaluate risk of detected issues more accurately (usually the risk of FilterExpression Injection is lower than that of SQL Injection).

Experienced security folks may already understand what FilterExpression Injection is like, but we decided to publish this paper since there is little information about security of FilterExpression on the Web.

Click to download▶


詳細は コチラ▶



本書は こちら(株式会社イードのWebサイトへ移動します)から購入できます。
詳細は コチラ▶



company_side space



1丁目14番8号 郵船水天宮前ビル6階

TEL : 03-5649-1961(代表)



TEL : 03-6861-5172