[Owasp-testing] Question about testing web mail functionality.

Vishal Garg vishalgrg at gmail.com
Fri Aug 14 06:21:34 EDT 2009

Hi All,

I am not sure if this is the right place to ask my question below or not and
my apologies if it's not, but I thought this to be the most appropriate
place for this question.

I was recently testing a web application that had a function where it sends
emails to the users of the application. The from (webapp email address) and
the to (user email address) fields were stored on the client side within
hidden fields and sent back to the server via post parameters. This makes
application vulnerable to email spamming attacks where an attacker can
change both to and from fields in post parameter and inject any message of
his/her choice.

Now I was looking for some more information for this type of attack or a
relevant category that explains this type of attack within OWASP Testing
Guide. The only thing I could find was IMAP/SMTP Injection under Data
Validation Testing but could not find any information that explains the
attack scenario given above.

Does anyone know if this sort of attack has been mentioned anywhere on OWASP
web site (within Testing Guide or anywhere else). I'll really appreciate if
someone could point me in the right direction.

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20090814/238e668e/attachment.html 

More information about the Owasp-testing mailing list