Webmail Service vulnerabilities

[Dimitri Borjac <dimooo () gmail com>]

Hi folks!

I'm trying to list the different vulnerabilities a classical Webmail
service could present.

I didn't find any specific documentation regarding this particular
type of service, but some flaws common to multiple webapps could
theoretically affect it.

Among them I have listed so far : XSS and XST (script and form
injection), CSRF, session hijacking (based on cookies, session ids,
...), any kind of parameter manipulation.

Has any of you already performed an audit of such a service ? Or based
on your experience over webapps security, do you see any other vuln
this service could present?

Thanks a lot for your suggestions or recommandations !

-dimo