Cross Fax Scripting - New attack techniques use XSS and Fax Machines to Hack Victims

Dr Craig Wright has described a new attack vector known as Cross-Site Faxing (XSF) that abuses weaknesses in OCR 2.0 anti-phishing technology to bypass commercial anti-CSF appliances such as the i-XSS BloggerShield and UBsecure’s new XRCF Webfender 2.1.

On Nov 18, Dr Craig Wright ( writes to pen-test:

“I have thought of an alternate path to loading a virus bases on a network OCR’d fax server. In the scenario, we have to assume that the system is sending the output to a web front end or HTTP enabled email (not that uncommon).”

Dr Wright subsequently illustrates to the reader what he has previously written using the following hypothetical scenario:

  • The system has no input filters and prints all characters to the email, web app.
  • The OCR engine is highly accurate and does not add spaces etc.
  • The email or web app displays exactly what it received

Dr Craig Wright on Fax Site Scripting Attacks and Web 3.0 “Now given that scenario, we have a possible XSS (cross-site-scripting) attack. If there are no filters for an outgoing connection (i.e. no firewall/proxy that strips scripts) and the client browser/email application allows access to the Internet, the attacker could create a script in the page that makes a call to an external system to download a file … a script could also embed a simple XOR obfuscation key to modify the downloaded code. On the web server it would be inert. When XOR’d with the key in the script (after being downloaded and installed), this will thus bypass the AV server (if there is one) and install the malware on the users system. […] Regards, Dr Craig Wright (GSE-Compliance)”

It is interesting to see this challenge considered by the security community. Are there currently any products we can purchase to scan incoming faxes? What about physical mail? A malicious attacker could embed scripting into an application form that is then printed and sent through snail mail to a recipient mail desk which scans the mail and forwards as a pdf or tiff image to the unsuspecting victim.

This attack is very deadly as it takes advantage of embed or macro or client side exploits against pdf or tiff clients and users. This is a very dangerous attack vector that must be explored, and all security consultants are encouraged to alert the wider community of the dangers of Cross Site Faxing and Cross-Site Postage exploits.