RE: Webmail Service vulnerabilities

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

Dimo,
   A webmail service is just a web application, and could be vulnerable
to anything that a general application could be (injection, hijacking,
bad crypto, etc). Take a look at the OWASP "top ten" (owasp.org) and go
from there. 

In particular, if the webmail service exposes additional points of
contact (web services, pop, etc), then you need to pen-test those points
too. Specific to a webmail application, you need to be particularly
careful about XSS and broken authentication, as those would likely be
the first to be attacked. 


Michael Scovetta
Computer Associates
Senior Application Developer

-----Original Message-----
From: Dimitri Borjac [mailto:dimooo () gmail com] 
Sent: Tuesday, January 04, 2005 8:27 AM
To: webappsec () securityfocus com
Subject: Webmail Service vulnerabilities

Hi folks!

I'm trying to list the different vulnerabilities a classical Webmail
service could present.

I didn't find any specific documentation regarding this particular
type of service, but some flaws common to multiple webapps could
theoretically affect it.

Among them I have listed so far : XSS and XST (script and form
injection), CSRF, session hijacking (based on cookies, session ids,
...), any kind of parameter manipulation.

Has any of you already performed an audit of such a service ? Or based
on your experience over webapps security, do you see any other vuln
this service could present?

Thanks a lot for your suggestions or recommandations !

-dimo