Hello, welcome to the Monday, December 19th, 2016 edition of the Sandsenet Storms,

on a stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We've got yet another webmail cross-site scripting exploit, and I keep saying webmail is really one

of these real hard-to-secure systems systems given that it has to be able to display a variety of HTML email messages correctly within the web page.

The latest victim here is Verizon's webmail system and what I really like about this write-up is not so much that they actually found the vulnerability,

but how they found it.

They really go into quite a bit of detail how you sort of systematically probe for different

HTML entities and HTML tags that are allowed, are not allowed, and how you go from there to actually finding

an exploit against a particular cross-side scripting vulnerability.

So if you're a pen tester, take a look at this and see some of the methods that are being

used here.

If you are a developer, of course, then take this particular test.

They're running here and try it against your own site before someone else does.

A lot of recent exploits, of course, take advantage of PowerShell, and then they use PowerShell to download

additional malware, or in some cases even

exfiltrate data straight using PowerShell. The problem has been that of course

PowerShell is a legitimate binary that you have on your system and as such some

white listing techniques don't work but Tom now has an interesting configuration option for the Windows firewall that allows you to selectively block connections made by PowerShell.

So once you enable this rule, then PowerShell is no longer allowed to enable or to set up a network

connection, breaking a lot of these exploits that are trying to download additional components.

This may of course also affect some legitimate PowerShell scripts, so make sure you test this

careful in your environment.

...