How-to send HTML email, XSS testing WebMail systems

Posted: January 14, 2011 in Uncategorized

If you come across a WebMail system that supports HTML email (no JavaScript) like GMail, Y! Mail, and Hotmail, then it’s extremely helpful to know how exactly to send HTML email to test those anti-XSS filters. I don’t recall seeing a how-to on the subject anywhere in the webappsec circles. To send arbitrary HTML email, laced with filter evading JavaScript, requires only a specially crafted text file and a *unix command line. Copy / Paste the following into a plain text file (email.txt):
MIME-Version: 1.0
From: your.name
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: INSERT_SUBJECT

INSERT WHATEVER HTML/JAVASCRIPT CONTENT

.
The trailing dot is not a typo, it terminates the end of the message so make sure the file always ends with it. Second, leave the Content-Type, Content-Transfer-Encoding, and MIME-Version headers as they are. Beyond that, you are free to modify and insert your HTML/JavaScript injections wherever you’d like including the email subject and content body. You can also spoof the return email address and add arbitrary email headers using the same format. Once you got something to want to send, well email, type this Unix command:

> sendmail -t email_recipient@domain.com < email.txt

The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s