Search for notes by fellow students, in your own course and all over the country.

Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.

My Basket

You have nothing in your shopping cart yet.

Title: Hacking
Description: It's a complete notes on ASPmail spoof of Ethical Hacking

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above


NGSSoftware Insight Security Research

A NGSSoftware Insight Security Research Publication

E-mail Spoofing and CDONTS
...
com)
9th January 2002
www
...
com

1

NGSSoftware Insight Security Research
[Abstract]
Many IIS web servers running ASP applications will use the CDONTS
...
This paper will examine how the
CDONTS
...
This paper is written to show ASP developers the importance of client input validation and
that without it even the most seemingly innocuous code can become dangerous
...
NEWMAIL
...
A typical ASP page that uses the
CDONTS
...
Newmail")
objNewMail
...
com"
objNewMail
...
QueryString("email")
objNewMail
...
Body = "Please find attached the newsletter
...
AttachFile "c:\newsletter
...
txt"
objNewMail
...
NEWMAIL object and the remainder of the
code sets some of its properties with the last line calling the
...
The CDONTS
...
To receive a copy of the
news letter a user would go to a URL on the web server similar to
http://www
...
com/newsletter
...
com
As can be seen from the code the email parameter in the query string is passed straight to the
CDONTS
...
To property
...


...
com
rcpt to: david@ngssoftware
...


...
However, had the email address been entered with the relevant SMTP
commands and newline characters such as
http://www
...
com/newsletter
...
com%0D%0Adata%0D%0ASub
ject:%20Spoofed!%0D%0A%0D%0AHi,%0D%0AThis%20is%20a%20spoofed%20email%0D%0
A
...


...
com
rcpt to: victim@spoofed
...

quit
In this way a spoofed e-mail has been sent using the NEWMAIL object
...


[Impact]
As can be seen it is a trivial task for an attacker to send an arbitrary e-mail from the web server
...
For example, they could spoof a press release (seemingly) from company
...
By
looking at the e-mail's properties the source would indeed be from company
...
This kind of
attack can have the most damaging effect on businesses
...
2 billion of its
total market capitalization due to a spoofed press release and in March 2001 a Hong Kong law
firm was the victim of a spoofed e-mail that stated one of their cleaners had been murdered
...

[Resolution]
With all aspects of an online web application it is imperative to ensure that all client side input is
validated
...
To make safe client input for CDONTS
...
Whilst these characters have no
effect on the safety of the CDONTS
...
To replace a character in an ASP application the
Replace( ) function can be used
...
To property
...
From or
...
It
is important to ensure that before client side input is embedded in these properties that it is made
safe
Title: Hacking
Description: It's a complete notes on ASPmail spoof of Ethical Hacking