Back to list
Domain User Credentials access via OWA XSS
Jul 07 2003 09:19PM
Hugo Vázquez Caramés (overclocking_a_la_abuela hotmail com)
On my previous post about OWA XSS I talked about Cross
Site Scripting in the attachment field of a mail. The
XSS is not in the attachment, is in the body of the
Sorry, I need to sleep...
Please notice: not in the attachment, in the BODY.
To make it clear to understand I have just published on
my site (www.infohacking.com) a report explaining how
to reproduce this bug on a real environment with a
proof of concept exploit.
Our code is able to exploit the XSS on the Outlook Web
Access to show the user cookie and the Windows domain,
username and password in cleartext.
Hugo Vázquez Caramés & Toni Cortés Martínez
Infohacking Research 2003
[ reply ]
Copyright 2010, SecurityFocus