Security Basics mailing list archives
Re: Web Mail Vulnerabilities
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: 16 Oct 2002 11:42:25 -0700
Almost sounds like your considering Outlook Web Access from the limited information given. Every web application, whether it be a web mail system or other, are all vulnerable to every web application attack currently known. From XSS, to SQL injection, to Parameter Tampering, etc. There are a myriad of possible attack vectors and variants between them. The only question remaining is the technology used and the risk severity specific to each app. As far as web mail specifically, which I group together with message boards, on-line auctions, etc into the same category. Apps that many people cohabitate and exchange client driven data. These types of web app are especially vulnerable to client-side attacks such as XSS as well logical attacks. XSS is prevalent everywhere and just about anyone can attest, its extremely hard to prevent effectively in a large or feature rich web app. Such as web mail. Certain measures can be taken to limit the risk involved in having your organization rely on web mail, but in the end I believe its still a large risk that needs to be weighed in the overall scheme of the current infrastructure. Regards, Jeremiah- On Tue, 2002-10-15 at 13:01, Link, Jennifer wrote:
We are looking at provided mail access via internet connection (home, internet cafe, library etc.) and I'm trying to research what vulnerabilities exist for such access. Any websites, books or personal experience you could provide would be VERY VERY helpful. I'm just getting started so all tid-bits are welcome!! Jennifer M. Link Phone: 703-602-8384 Fax: 703-602-7854 email: link.jennifer () mail navy mil
Current thread:
- Web Mail Vulnerabilities Link, Jennifer (Oct 16)
- Re: Web Mail Vulnerabilities Leo Security (Oct 17)
- Re: Web Mail Vulnerabilities Devdas Bhagat (Oct 17)
- Re: Web Mail Vulnerabilities Jeremiah Grossman (Oct 17)
- Re: Web Mail Vulnerabilities Brad Arlt (Oct 17)
- Re: Web Mail Vulnerabilities Nick Warr (Oct 18)
- RE: Web Mail Vulnerabilities Ben Corman (Oct 18)
- <Possible follow-ups>
- RE: Web Mail Vulnerabilities John Canty (Oct 21)