Re: Web Mail Vulnerabilities

[Jeremiah Grossman <jeremiah () whitehatsec com>]

Almost sounds like your considering Outlook Web Access from the limited
information given.


Every web application, whether it be a web mail system or other, are all
vulnerable to every web application attack currently known. From XSS, to
SQL injection, to Parameter Tampering, etc. There are a myriad of
possible attack vectors and variants between them. The only question
remaining is the technology used and the risk severity specific to each
app.


As far as web mail specifically, which I group together with message
boards, on-line auctions, etc into the same category. Apps that many
people cohabitate and exchange client driven data. These types of web
app are especially vulnerable to client-side attacks such as XSS as well
logical attacks.


XSS is prevalent everywhere and just about anyone can attest, its
extremely hard to prevent effectively in a large or feature rich web
app. Such as web mail.


Certain measures can be taken to limit the risk involved in having your
organization rely on web mail, but in the end I believe its still a
large risk that needs to be weighed in the overall scheme of the current
infrastructure.


Regards,

Jeremiah-







On Tue, 2002-10-15 at 13:01, Link, Jennifer wrote:
> We are looking at provided mail access via internet connection (home,
> internet cafe, library etc.) and I'm trying to research what vulnerabilities
> exist for such access.  Any websites, books or personal experience you could
> provide would be VERY VERY helpful.  I'm just getting started so all
> tid-bits are welcome!!
>
> Jennifer M. Link
> Phone:  703-602-8384
> Fax:  703-602-7854
> email:  link.jennifer () mail navy mil