Paid Advertising
web application security lab

Webmail Auditing tool

Alla Bezroutchko released a tool yesterday to do automated XSS testing against webmail clients. It is heavily based off of the cross site scripting cheat sheet, but ties that in with a series of emails that attempt to override the built in validation engines built into various web-mail implementations. I am literally the first to admit that I have never looked at webmail in depth. The only time I did, in the case of Roundcube I didn’t even have to go past the first page (it’s now been fixed).

Anyway, this sort of tool is pretty critical and probably should be integrated with large scale web-app scanning, since it doesn’t matter how the data ends up there (via HTML POST or by mail is irrelevant). The only thing that matters is that the client can run the JavaScript once they get there. It’s sort of an interesting union where people are tunneling more and more apps over port 80. Webmail is often mis-classified in people’s minds as normal mail, but really it is another web-app with lots more problems waiting to be uncovered. Anyway, it’s interesting tool, and I’m sure it will spawn more conversations.

One Response to “Webmail Auditing tool”

  1. hackathology Says:

    ah, from my company ?? Damn i just noticed it.