Hello and welcome to the Friday, January 24th, 2020-5 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

In Diaries today, we got something a little bit different.

It's for a change not honeypot data, but emails that actually went to one of our Internet

Storm Center email addresses that attempted to exploit cross-site scripting vulnerabilities.

It's not clear exactly which cross-site scripting vulnerability tried to exploit.

They embedded JavaScript in particular in the subject and then also in the body of

the email.

But more likely than not, they went after some kind of webmail systems vulnerability.

I always point out when we're covering cross-site scripting in the defending web application

class, that a webmail system is probably one of the most difficult systems to write when

it comes to cross-site scripting, given that email is usually these days expressed in HTML,

and you have to then include the HTML from the email

inside the HTML of the web application and keep the two separate.

There are some tricks that you can use these days in modern browsers, like sandboxed

eye frames and the like.

But still recently we had, for example, this interesting vulnerability in proton mail.

It's not easy to get this right.

So no surprise that attackers are going after it. And in the past, if some open source systems had vulnerabilities like this, well, they were often very quickly exploited.

So if anybody can help me out and figure out what exact vulnerability they're trying to exploit here.

Let me know.

Also interesting, in order to detect whether or not the exploit worked, they used a website called XSS, so cross-site scripting, dot report.

...