On 20 Nov 2017, at 13:31, Alex wrote:
On Mon, Nov 20, 2017 at 12:58 PM, Axb <axb.li...@gmail.com> wrote:
On 11/20/2017 06:26 PM, Alex wrote:
Hi, we have an email that originated from email.dropbox.com and has
a
link to https://hyzas.xss.ht/ which is a "payload to test for
Cross-site Scripting" from the XSS Hunter Team.
Yeah, sure. Or maybe it's a malware vector masquerading as a harmless
test. As the very large and very obfuscated script says in comments at
the top:
If you believe that this payload has been used to attempt to
compromise your service without permission, please contact us
using https://xsshunter.com/contact.
The registration info for xss.ht includes an embedded <script> tag
pointing to another instance of that script on another domain. The
registration for that domain has contact addresses in San Francisco, CA
but phone numbers in the Grand Rapids, MI area.
I'd be surprised if this was not in fact malicious.
Was it sent in error? How was it sent? I know what XSS is and how it
can be used, but this was reported as malicious, not from a security
professional.
https://pastebin.com/8Q7ZPRQ6
And how is this related to SA?
Maybe you should ask the ppl involved: dropbox.com / testalways.com
I wasn't sure if it wasn't just a case where someone was using the
dropbox service to send spam (in which case a backup mechanism in the
form of a SA rule might be helpful), or if it was some dropbox admin
who made a mistake, etc. It's just an odd email.
The "Dropbox Business" service supports sending invitations to arbitrary
addresses, much like many other services. It's abusable, just as
LinkedIn, Twitter, Facebook, and others are abusable.
