Intrepidus Group
Insight

Old trick with byte. Bypassing the “Safe HTML” filter.

Posted: April 30, 2010 – 1:46 pm | Author: | Filed under: Phishing, Web Apps

Sending attachments over email can sometimes be a game of getting around content filtering rules. Especially when you’re in the security field and you are sending something that may look like a security threat. Recently we found ourselves needing to send out attachments with HTML code to a user who was checking their mail with Outlook Web Access (OWA). Since OWA is a web application to allow exchange users to read their email, it makes a sense that OWA will try to block attachments it detects as malicious. Enter in the “Safe HTML” filter.

The Safe HTML filter isn’t meant to protect users from everything, it’s just one of those nice extras to hopefully stop some low hanging fruit. If it’s your OWA server, you can disable this filter, but we not about to recommend that to anyone. We just needed to get our HTML attachment through (I swear officer it’s not malicious, just good clean HTML tags). It didn’t matter what we named the file (foo.gif, bar.doc, baz.foo), if it had HTML in it, the file got truncated when the user attempted to download it. After digging into our bag of old tricks, it was nice to see one come through.

From my days of playing with browser caching options, I remembered an issue with some versions of Internet Explorer where it would only obey META tags regarding caching if you had them within the first 64 KB of the page. Well using that idea, it turns out if you pad the start of your attachments with something like 1024 space characters, your HTML attachments download and open just fine in OWA. I imagine someone has done this before and would love to see if there is a more thorough review of the Safe HTML filter out there, but for us, it was just a reminder that some tricks don’t die… they just may need a few more or less bytes.

Both comments and trackbacks are currently closed.

One Comment

  1. Mamoru Chiba
    Posted August 12, 2010 at 10:24 am | Permalink

    "If it’s your OWA server, you can disable this filter…"

    How so? I've been looking for a way to kill that damn filter for a while now, and have had no luck. Security isn't a big issue… having our HTML uncorrupted is!

    Can this be done on Exchange 2007, or only in 2010? We're using 2007 at the moment, but would upgrade just to deal with this problem!

    TMMamoru -at- Yahoo -dot- com!

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24508 items have been purified.